This tutorial walks you through a comprehensive process of implementing robust Single Sign-On (SSO) for your Jenkins environment using AWS Identity Center (AWS SSO) and the industry-standard SAML 2.0 protocol.
Simplify User Management: Streamline user onboarding and offboarding processes, avoiding manual user creation in Jenkins.Enhance Security: Eliminate the need for separate passwords for Jenkins, reducing the risk of unauthorized access.Centralized Control: Manage user access permissions and groups from a single point within AWS SSO.Improve User Experience: Allow users to seamlessly access Jenkins without needing to remember separate credentials.
Creating the Application: Navigate to your AWS Identity Center console and click on "Applications." Choose "Add Application" and select "I have an application I want to set up," opting for SAML 2.0 as the protocol. Provide a descriptive name and description for your application.Configuring Metadata: AWS SSO will display essential metadata, including the IAM Identity Center SAML Metadata File URL and IAM Identity Center Sign-out URL. Make sure to note these URLs as they will be used later in the Jenkins configuration.Manually Configuring Metadata Values: In the Application metadata section, select "Manually type your metadata values." Here, you'll configure the Assertion Consumer Service (ACS) URL and the SAML Audience. Set the ACS URL to: https://${YOUR_JENKINS_URL}/securityRealm/finishLogin. For the SAML Audience, use the same URL as the ACS URL.Important Note: While a public IP without an SSL certificate might be used for demonstration, using a secure domain URL with an SSL certificate is highly recommended in a production environment.Submitting Your Configuration: Click "Submit" to finalize the application creation.
Attribute Mappings: Navigate to your custom application and choose "Edit attribute mappings." Configure the following mappings:Subject => ${user:preferredUsername} => persistent http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name => ${user:name} => uri http://schemas.xmlsoap.org/claims/Group => Authenticated Users => uri email => ${user:email} => basic group => ${user:groups} => basic
User and Group Assignments: Go to "Assign users and groups," search for the users and groups you wish to grant access to your Jenkins instance, and click "Done."
Backup and Plugin Installation: Back up your Jenkins config.xml file located in the Jenkins home directory. This serves as a safety measure in case you need to revert any changes. Install the following plugins:SAML Plugin: https://plugins.jenkins.io/saml/ Role-based Authorization Strategy: https://plugins.jenkins.io/role-strategy/
Security Configuration: Go to "Manage Jenkins" > "Security" and make the following adjustments:Security Realm: Set it to "SAML 2.0."Authorization: Choose "Role-based Authorization Strategy."
IdP Metadata Configuration: Enter the IAM Identity Center SAML Metadata File URL you noted earlier in the "IdP metadata URL" field. Click "Validate IdP metadata URL" to ensure proper connection.Attribute Mappings: Define the following attribute mappings:Display Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameGroup Attribute: groupUsername Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEmail Attribute: email
Logout URL: Enter the IAM Identity Center Sign-out URL you saved during the initial application creation in AWS SSO.Save Changes: Click "Save" to finalize the Jenkins configuration.
Global Roles: Go to "Manage Jenkins" > "Manage and Assign Roles" > "Manage Roles." Define your global roles, such as "admin" and "read-only," and specify the permissions for each role.Item Roles: Navigate to "Item Roles" and create roles specific to jobs or folders using regular expressions to match patterns. For example, "(.*backend-build/.*)" will cover all folders and jobs ending with "backend-build."
Role Assignment: Go to "Manage Jenkins" > "Manage and Assign Roles" > "Assign Roles." Add users or groups using "Add User" or "Add Group." You can directly add groups from AWS Identity Center by selecting "Add Group" and entering the group ID.Role Selection: Select the appropriate roles based on the permissions you want to grant to each user or group.
Access Jenkins directly: Open the Jenkins URL in your browser.Login through the AWS Apps Portal: Navigate to the AWS Apps Portal and select your Jenkins custom application.
0 comments:
Post a Comment