How to Securing Your Jenkins with AWS SSO

This tutorial walks you through a comprehensive process of implementing robust Single Sign-On (SSO) for your Jenkins environment using AWS Identity Center (AWS SSO) and the industry-standard SAML 2.0 protocol.

Why Choose SAML and AWS SSO?

SAML (Security Assertion Markup Language) is the cornerstone of secure and efficient identity management. It allows systems to exchange authentication and authorization data, ensuring users only access resources they're authorized to use. AWS SSO provides a centralized and scalable platform for managing identities and granting access to various applications, including Jenkins. By integrating AWS SSO with your Jenkins instance, you can:

• Simplify User Management: Streamline user onboarding and offboarding processes, avoiding manual user creation in Jenkins.

• Enhance Security: Eliminate the need for separate passwords for Jenkins, reducing the risk of unauthorized access.

• Centralized Control: Manage user access permissions and groups from a single point within AWS SSO.

• Improve User Experience: Allow users to seamlessly access Jenkins without needing to remember separate credentials.

Implementing SAML 2.0 Authentication in Jenkins with AWS SSO

This process involves configuring both AWS SSO and Jenkins to work together seamlessly:

1. Setting Up Your Custom Application in AWS SSO

The first step is to register your Jenkins instance as a custom application within AWS SSO. This involves:

• Creating the Application: Navigate to your AWS Identity Center console and click on "Applications." Choose "Add Application" and select "I have an application I want to set up," opting for SAML 2.0 as the protocol. Provide a descriptive name and description for your application.

• Configuring Metadata: AWS SSO will display essential metadata, including the IAM Identity Center SAML Metadata File URL and IAM Identity Center Sign-out URL. Make sure to note these URLs as they will be used later in the Jenkins configuration.

• Manually Configuring Metadata Values: In the Application metadata section, select "Manually type your metadata values." Here, you'll configure the Assertion Consumer Service (ACS) URL and the SAML Audience. Set the ACS URL to: https://${YOUR_JENKINS_URL}/securityRealm/finishLogin. For the SAML Audience, use the same URL as the ACS URL.

• Important Note: While a public IP without an SSL certificate might be used for demonstration, using a secure domain URL with an SSL certificate is highly recommended in a production environment.

• Submitting Your Configuration: Click "Submit" to finalize the application creation.

2. Configuring Your Custom Application in AWS SSO: Attribute Mappings and User Assignment

To ensure seamless communication between AWS SSO and Jenkins, define attribute mappings for user information:

• Attribute Mappings: Navigate to your custom application and choose "Edit attribute mappings." Configure the following mappings:

  • Subject => ${user:preferredUsername} => persistent

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name => ${user:name} => uri

  • http://schemas.xmlsoap.org/claims/Group => Authenticated Users => uri

  • email => ${user:email} => basic

  • group => ${user:groups} => basic

• User and Group Assignments: Go to "Assign users and groups," search for the users and groups you wish to grant access to your Jenkins instance, and click "Done."

3. Configuring Jenkins for SAML Authentication

Now, prepare your Jenkins instance to integrate with AWS SSO using SAML 2.0:

• Backup and Plugin Installation: Back up your Jenkins config.xml file located in the Jenkins home directory. This serves as a safety measure in case you need to revert any changes. Install the following plugins:

  • SAML Plugin: https://plugins.jenkins.io/saml/

  • Role-based Authorization Strategy: https://plugins.jenkins.io/role-strategy/

• Security Configuration: Go to "Manage Jenkins" > "Security" and make the following adjustments:

  • Security Realm: Set it to "SAML 2.0."

  • Authorization: Choose "Role-based Authorization Strategy."

• IdP Metadata Configuration: Enter the IAM Identity Center SAML Metadata File URL you noted earlier in the "IdP metadata URL" field. Click "Validate IdP metadata URL" to ensure proper connection.

• Attribute Mappings: Define the following attribute mappings:

  • Display Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

  • Group Attribute: group

  • Username Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

  • Email Attribute: email

• Logout URL: Enter the IAM Identity Center Sign-out URL you saved during the initial application creation in AWS SSO.

• Save Changes: Click "Save" to finalize the Jenkins configuration.

4. Defining Global and Item Roles

To control user access permissions, create roles at both the global and job/folder levels:

• Global Roles: Go to "Manage Jenkins" > "Manage and Assign Roles" > "Manage Roles." Define your global roles, such as "admin" and "read-only," and specify the permissions for each role.

• Item Roles: Navigate to "Item Roles" and create roles specific to jobs or folders using regular expressions to match patterns. For example, "(.*backend-build/.*)" will cover all folders and jobs ending with "backend-build."

5. Assigning Roles

Assign the roles you defined in the previous step to users and groups:

• Role Assignment: Go to "Manage Jenkins" > "Manage and Assign Roles" > "Assign Roles." Add users or groups using "Add User" or "Add Group." You can directly add groups from AWS Identity Center by selecting "Add Group" and entering the group ID.

• Role Selection: Select the appropriate roles based on the permissions you want to grant to each user or group.

6. Testing the SSO Login

Now, it's time to verify the integration and ensure successful logins:

• Access Jenkins directly: Open the Jenkins URL in your browser.

• Login through the AWS Apps Portal: Navigate to the AWS Apps Portal and select your Jenkins custom application.

You should now be logged into your Jenkins instance using AWS SSO without needing to enter separate credentials.

Conclusion

By following these steps, you've successfully secured your Jenkins environment with AWS SSO and SAML 2.0. This integration enhances security, streamlines user management, and improves the overall user experience. Remember to maintain consistent security practices and regularly review your role assignments to ensure continued protection of your critical infrastructure.