A Jenkins Plugin that supports authentication & authorization via Azure Active Directory.
-
Make sure your Jenkins server has enabled HTTPS. If your Jenkins instance is created by the Jenkins Solution Template, you can update your NGINX config file at
/etc/nginx/sites-available/default
. More configuration details can be found here. -
Open
Azure Active Directory
, inProperties
, copy Directory ID, it will be used astenant
in Jenkins. -
Register an application in AAD, copy the
Application ID
, it will be used asClient ID
. -
In Application setting page, add a new Reply URL
https://{your_jenkins_host}/securityRealm/finishLogin
. Make sure variablejenkinsURL
set ashttps://{your_jenkins_host}
for the filejenkins.model.JenkinsLocationConfiguration.xml
in the$JENKINS_HOME
folder. -
In Application setting page, click
Keys
, generate a new key, copy thevalue
, it will be used asClient Secret
in Jenkins. -
To configure Azure Active Directory Matrix-based security, you have to add your
user/group
value with patternuserName|groupName (principalName)
. The patternuserName|groupName (objectId)
still works to make compatible with previous versions.
For group support you have two options:
- Give Jenkins the right to
Read directory data
inAzure Active Directory
(Azure admin right required), which in addition to group support also allows to use autocompletion when adding user/group in Azure Active Directory Matrix - Let Azure Active Directory provide the
groups
of an user as part of the id token.
Option 1:
Give Jenkins permission to Read directory data
in Azure Active Directory
to get autocompletion support in Azure Active Directory Matrix
-
In Application setting page, click
Required Permissions
and selectWindows Azure Active Directory
, then selectRead directory data
permissions in Application permissions section -
Click
Grant Permissions
. If you are not an admin in your tenant, please contact admin to grant the permissions which declared asrequire admin
inEnable Access
page. Wait for the permissions taking effects.
Option 2:
Let Azure Active Directory provide the groups
of an user as part of the id token.
- In Azure Application settings, click
Authentication
and mark theID tokens
checkbox underAdvanced Settings -> Implicit grant
. Save settings. - In Azure Application settings, click
Manifest
and modify the"groupMembershipClaims": "None"
value to"groupMembershipClaims": "SecurityGroup"
. Save manifest. - To setup group based authentication in Jenkins, you should search and take note of the groups
Object Id
andName
you want to use for Jenkins authorization. - In Jenkins configure
Azure Active Directory Matrix
-based security and add the noted down groups one-by-one in the following notation:groupName (objectId)
Click Manage Jenkins
in the left menu, then click Configure Global Security
, check Enable security
To enable Azure Authentication, check Azure Active Directory
and fill in the credential.
Click Verify Application
to make sure your input is valid.
To enable Azure Authentication, check Azure Active Directory Matrix-based security
In version 1.0.0, this plugin upgrades from Microsoft identity platform v1.0 to v2.0. Before you upgrade ad plugin to version 1.0.0, please read following items first.
-
Make sure your Jenkins server has enabled HTTPS. Microsoft identity platform v2.0 forces using HTTPS schema in reply uri for its applications. Please update the reply uri for your AAD application. You also need to update the url setting in
jenkins.model.JenkinsLocationConfiguration.xml
file and restart your Jenkins instance. If your Jenkins instance is created by the Jenkins Solution Template, you can update your NGINX config file at/etc/nginx/sites-available/default
. More configuration details can be found here. -
Go to your related AAD application, click
Manifest
to open the inline manifest editor. Replace theoptionalClaims
value as below. You can find more information about this."optionalClaims": { "idToken": [ { "name": "family_name", "essential": false }, { "name": "given_name", "essential": false }, { "name": "upn", "essential": false } ] },
A: You can disable the security from the config file (see https://wiki.jenkins.io/display/JENKINS/Disable+security)
Q: Why getting a error "insufficient privileges to complete the operation" even having granted the permission?
A: It takes rather long time for the privileges to take effect, which could be 10-20 minutes. So just wait for a while and try again.
Q: I always get a Login failed error with a stacktrace telling Unable to find a suitable verification key for JWS w/ header
A: If you want a v2.0 app in Azure AD you cannot create it from the Enterprise Applications section, you have to use the App registrations section.