Jenkins URL Auth SSO Plugin
- License: MIT License
- Wiki: URL Auth SSO Plugin wiki page
- Latest Build: Latest Jenkins Build
- Demo: Demo Server
How it works
This plugin allows users to be logged in to Jenkins automatically when they are logged into another site.
- This plugin authenticates users via a shared identifying cookie. This is likely to be a session ID (e.g.
PHPSESSID) which is shared between the
Target URL's domain and Jenkins' domain.
- The identifying cookie must be shared between the two sites. This is possible for subdomains by setting a cookie's domain to
.domain.com(note the leading dot).
- When a user requests a Jenkins page, their
Cookieheader is sent to the configurable
Target URLas a
GETrequest, which authenticates the user and sends back a JSON response with the
200 OK. All JSON keys are configurable.
- If the server at the
Target URLcannot authenticate the user with the sent cookies, it will respond with error code
401 Unauthorized. If you want to see this in action, try my version.
- The user will be authenticated in Jenkins if possible. Their username, display name and email will be set using the data from the JSON request.
- If the user cannot be authenticated, they will be able to click 'Login' at the top right as normal to be taken to the specified external
Login URLwhich will log the user into the SSO service. When the user returns a fresh check will be made to check if the user has just logged in.
Because authentication takes place via cookie, this plugin is designed for sites where the user is already logged into a trusted, parent site. It would be a security risk to share sensitive cookies with third party sites.
You can find a ready-made example backend server in the sso folder, written with PHP and using GitHub OAuth to facilitate SSO. There are a few simple steps to get this example working on your own server.
- Drag the
ssofolder into the Document Root of your webserver.
- Open the
sso/signin.phpfile and set your
Client Secretfrom GitHub. Also set the
User Agentheader to match your own website address (and purpose).
- Set your session cookie,
PHPSESSID, to be shared across subdomains of your domain. This can be accomplished by setting
session.cookie_domain = ".example.com"in your
php.ini. If you're using Apache on Linux, this is likely to be located at
url-auth-sso-pluginon your Jenkins server. Go to
Configure Global Securityand change the
URL Auth Plugin. Set the
Target URLto the path to your
data.phpfile - for example,
http://example.com/sso/data.php. Also set the
Login URLto the path to your
signin.phpfile - for example,
- (Optional) Change the
signin.phpfile to meet your own needs. There are no limits to what you can do, so long as you set at least
$_SESSION["user_name"]as I have in the example script.