|
Important
|
We will be using |
We will have to do the following steps on Azure side.
-
create the Azure Active Directory
-
create users / groups
-
create App Registration
-
url:
https://cloudbees-core.example.com/cjoc/securityRealm/finishLogin -
replace
example.comwith your domain, and change protocol if you’re not using https (https is recommended) -
update manifest (for groups)
-
change:
"groupMembershipClaims": null,(usually line 11) -
to:
"groupMembershipClaims": "SecurityGroup", -
create SP ID / App ID URI
-
grant admin consent
|
Note
|
If you’re going to use the Azure AD plugin, you also create a client secret. |
The following information will be unique to your installation, so you need to record them as you go along.
-
App ID URI
-
Object ID’s of Users and Groups you want to give rights
-
Federation Metadata DocumentEndpoint -
Azure AD → App Registrations → <your app registration> → Endpoints (circular icon on top)
-
you can use either the URL or the document contents
-
make sure the URL contains the Tenant ID of your Azure Active Directory
-
URL example:
https://login.microsoftonline.com/${TENANT_ID}/federationmetadata/2007-06/federationmetadata.xml -
You can find your Tenant ID in
Azure Active Directory→Properties→Directory ID(different name, same ID)
Below will be a visual guide with screenshots.
There will be hints in the screenshots where you should pay attention to.
-
red: this is the main thing
-
orange: this is how we got to the current page/view
-
blue: while you’re in this screen, there might be other things you could do
If you have an Azure account, you will have an Azure Active Directory (Azure AD) pre-created.
This guide assumes you have an Azure AD ready to use.
That means, the next step is to create an Application Registration.
Give the registration a useful name, select who can authenticate and the redirect URL.
This URL needs to be configured and MUST be the actual URL of your CloudBees Core installation.
Depending on the plugin you’re going to use (SAML or Azure AD) you need information from your Azure AD / App Registration.
-
Tentant ID
-
Object ID
-
Client ID
-
Federation Metadata Document (you can use the document or the URL, up to you)
Click on the Endpoints button to open the side-bar with the links.
We need the App ID - even if the SAML plugin doesn’t mention it.
You can let Azure generate one for you, but as CloudBees Core has a nice URL (which is the type required), you can also use that as the application URL, eg
|
Note
|
App ID must match in both Azure AD (set as "App ID URI") and the SAML plugin (set as "Entity ID") |
This is the generated API URI. But you can replace it with your installation’s URL. Just remember to note this URI down, we will need this when we configure Jenkins.
Of course, things wouldn’t be proper IAM/LDAP/AD without giving some permissions.
If we want to retrieve group information and other fields, we need to be able to read the Directory information.
The Directory information can be found via the Microsoft Graph api/button.
We select Application Permissions and then check Directory.Read.All. We don’t need to write.
The Permissions have changed, so we require an Administrator account to consent with the new permissions.
|
Note
|
To those working with the CloudBees Azure subscription from PS. No, we as PS cannot consent this. So either we need someone else to do this for us, or you have to use your own Azure Account’s Azure AD. |
As with the permissions, the default Manifest doesn’t give us all the information we want.
We want the groups, so we can configure RBAC, and thus we have to set the groupMembershipsClaims claim attribute.
We change the null to "SecurityGroup", please consult the Microsoft docs (see reference below) for other options.
We can download, edit and upload the manifest file. Or, we can edit inline and hit save on top.
-
-
I assume you know how to install plugins, so we skip this
-
if you don’t know Read the Managing Plugins Guide
-
-
configure saml2.0 in Jenkins
-
setup groups (RBAC)
-
administrators → admin group
-
browsers → all other groups
-
Below will be a visual guide with screenshots.
There will be hints in the screenshots where you should pay attention to.
-
red: this is the main thing
-
orange: this is how we got to the current page/view
-
blue: while you’re in this screen, there might be other things you could do
To go to Jenkins' security configuration, follow this route:
-
login with the current Admin user
-
go to the Operations Center
-
Manage Jenkins → Global Security Configuration
The SAML plugin configuration will pollute the screen with fields.
My advice, enable RBAC first.
If you haven’t got any groups/roles yet, I recommend using the Typical Initial Setup from the dropdown.
|
Important
|
Make sure you know the credentials of the current admin user. It will automatically be added to the For how to reset the security configuration, see the |
Select SAML 2.0 from the Security Realm options.
Here we need to first supply our Federation Metadata Document or it’s URL.
Each has its own Validate … button, hit it and confirm it says Success.
|
Note
|
You can leave I think this is fugly, as it amounts to something like There are other options, I’ve settled for |
|
Tip
|
Once Azure AD is configured and it works, you can configure groups for RBAC just as you’re used to. Both for classic RBAC and Team Masters. Just make sure you use the Azure AD `Object ID’s of the groups to map them. Bonus tip, add every Azure AD group to |
<useSecurity>true</useSecurity>
<authorizationStrategy class="nectar.plugins.rbac.strategy.RoleMatrixAuthorizationStrategyImpl"/>
<securityRealm class="org.jenkinsci.plugins.saml.SamlSecurityRealm" plugin="[email protected]">
<displayNameAttributeName>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</displayNameAttributeName>
<groupsAttributeName>http://schemas.microsoft.com/ws/2008/06/identity/claims/groups</groupsAttributeName>
<maximumAuthenticationLifetime>86400</maximumAuthenticationLifetime>
<emailAttributeName>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</emailAttributeName>
<usernameCaseConversion>none</usernameCaseConversion>
<usernameAttributeName>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name</usernameAttributeName>
<binding>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</binding>
<advancedConfiguration>
<forceAuthn>false</forceAuthn>
<spEntityId>https://cloudbees-core.kearos.net</spEntityId>
</advancedConfiguration>
<idpMetadataConfiguration>
<xml></xml>
<url>https://login.microsoftonline.com/95b46e09-0307-488b-a6fc-1d2717ba9c49/federationmetadata/2007-06/federationmetadata.xml</url>
<period>5</period>
</idpMetadataConfiguration>
</securityRealm>
<disableRememberMe>false</disableRememberMe>Depending on the requirements, you may want to specify a logout url in the SAML configuration to log you completely out of SAML, not just Core.
This is the default config for security in Core Modern.
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<disableRememberMe>false</disableRememberMe>To rectify a failed configuration, execute the following steps:
-
exec into the
cjoc-0container:kubectl exec -ti cjoc-0 — bash -
open
config.xml: ` vi /var/jenkins_home/config.xml` -
replace conflicting lines with the above snippet
-
save the changes
-
exit the container:
exit -
kill the pod:
kubectl delete po cjoc-0
|
Tip
|
For removing a whole line, stay in "normal" mode, and press |
|
Note
|
The mapping of the object if to groups within is less than ideal visaually, this is however a limitation of this solution currently. When the Alternative Azure AD Plugin is approved this may provide a more satisfactory solution. |