How to setup Jenkins SSO with Azure AD Active directory Single Sign On. In this post, we are going to explain one of the popular open source servers is known as “Jenkins”. You know, Jenkins servers are integrated with various cloud computing software. So today we are going to discuss how to setup Jenkins SSO (Single Sign On) with the Azure Active directory. This post is a detailed user guide, which will guide our readers on the configuration settings of Jenkins SSO with Azure AD. Let’s get started.
Before we dive into the configuration part, we would like to briefly explain Jenkins:
What is Jenkins Server?
Jenkins is an open source and popular automation server that helps developers around the world to automate the software development process such as building, testing, and deploying. Jenkins also provides continuous integration and continuous delivery of the software components. This is a server based system that mainly runs on the servlet containers (the popular one is Apache servlet).
Jenkins plugin allows Single Sign On (SSO) integration with ADFS, OKTA, Keycloak, Azure AD B2C, Salesforce, Oracle, IBM cloud, One Login, Auth0, and all SAML 2.0 identity providers.
Setup Jenkins SSO (Single Sign On) with Azure AD - Active directory
In this section, we are going to explain Jenkins SSO setup with Azure active directory.
Prerequisites
To access the Azure AD directory, you should be an Azure global admin or should have the admin right to add the API (application programming interfaces) permissions required to set up for the software system.
If you are already a user of the Jenkins server, then go to “Manage Jenkins” -> now try to find the Azure active directory plugin-> once you find it, then restart your Jenkins server.
If you already have Azure AD installed, then go to your Azure portal -> then select the Azure Active directory-> to click on the “App registration” button -> go to the new registration option to setup the Azure active directory application as shown in the below image:
Now give a name to your Azure ad application. You can see there are many Jenkins applications running in my demo (follow the above image) -> name your Jenkins Azure AD application accordingly.
You have to choose the users type who wants to use the application -> for example; suppose if it is a private IT environment -> you have to allow only Azure active directory (single-tenant) that needs to be used.
Now choose the client application (for example web applications, IOS, Android, and many more.) -> finally, you have to register the application.
Once you registered in the application ->go to the application page-> select the “Authentication” option ->Add a platform > Select Web > insert the name of your Jenkins instance URL -> if your Jenkins instance URL is internal, put the internal URL, this will resolve the internal DNS as shown in the below image:
Choose the ID tokens-> ensure that you have selected an Azure active directory (a single tenant) in the supported account section.
Azure AD Application API Permissions
Now go to the API Permissions-> then add the following permission:
1. Azure Active Directory Graph: Directory.Read.All / Delegated 2. Azure Active Directory Graph: Directory.Read.All / Application 3. Azure Active Directory Graph: User.Read / Delegated 4. Microsoft Graph: Directory.Read.All / Delegated 5. Microsoft Graph: Directory.Read.All / Application 6. Microsoft Graph: User.Read / Delegated
Click on the “Grand admin consent” option in your company tenant.
Then go to the option “Certificates and secret” -> now generate a new client secret.
Note: The certificate and secret are visible once in your application tenant. So it’s good to copy secret and keep it in your note to finalize the Jenkins setup. Not only secret ID, but you need to note down the below details:
a. Application ID b. Client ID c. Directory ID (tenant).
Go to your Jenkins application -> manage the Jenkins and configure the global security.
In the authentication section-> choose the Azure Active directory along with the “security Realm” block.
From the saved details( details which you saved in your note) -> insert the details like client ID, Tenant, and Client secret-> click on the “apply” button.
Note: Do not save the details yet because, if anything goes wrong in the application settings, you can edit and modify the details.
If you are fine with the settings -> go to the “Authorization” section -> now select the “Azure active directory Matrix based security” -> provide a user nameor group name that exists in the Azure active directory. User name or group name should appear in the suggestion list.
If you see the autocompletion of the Jenkins, your settings are fine -> save the details.
If you face any issues with the security -> you can go to the configuration file Config.XML-> then disable the security realm with the help of the below steps:
Firstly, stop the Jenkins application from running.
Then go to the file “$JENKINS_HOME” in the file system -> open the Config.XML file for the resetting of the Jenkins application server.
Then try to search for the false elements in the Config.XML file.
Replace the false elements in the configuration file with the true elements.
Then remove the elements from the “authorizationStrategy” and “SecurityRealm”.
Now the restart the Jenkins application. At this step, you reinstalled the Jenkins server application where users can access the applications (you can call it “public” access).
Now change the access mode from public to private -> then enable the authorization strategy and Security Realm.
We are not yet finished. Suppose If you are a new Azure developer, they might be facing some issues in the configuring Azure active directory. Let’s get started:
First, you need to open the “Azure Active directory” -> then click on the “app registration” button.
Click on the “new registration” option.
Now add a new URL “https://{your_jenkins_host}/securityRealm/finishLogin”. Make sure “Jenkins URL” ->Manage Jerkins=>configure system -> then set this value in the URI “ https://{your_jenkins_host}”.
Next, you need to click on “Certificate and secret” under the client secret option -> click new client secret to generating a new key -> then copy the key value, then this value will be used as a client secret in the Jenkins.
Click on the “Authentication” option -> under the “implicit giant” -> then enable the “ID tokens”.
This is an optional step, to enable the “Azure active directory” group support -> click manifest and modify the “groupMembershipClaims: “None” value to the “groupMembershipClaims”: “SecurityGroup” -> then save it.Now you need to set up the Azure ADpermissions; to do this follow the below steps:
Now you need to set up the Azure AD permissions; to do this follow the below steps:
In order to enable the Jenkins to enable the Azure AD permission, it’s necessary to have API permissions.
To configure the API permission click on the API permission.
Then add permission.
Select the “Microsoft Graph”.
Choose the Application manager.
Now add “User.Read.All”, “Group.Read.All” and “People. read”.
Setting up Jenkins SSO with Azure AD Active directory Finished
I hope this post helps you setup Jenkins SSO with Azure AD and enabling security configurations to configure Jenkins server system in the Azure Active Directory environment. I hope this type of user guide post adheres to the Jenkins communities.
I am a fan of open source technology and have more than 10 years of experience working with Linux and Open Source technologies. I am one of the Linux technical writers for Cloud Infrastructure Services.
51vote
Article Rating
Subscribe
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.