You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

  1. Make a backup of your Jenkins deployment.
  2. Create a keypair inside the Jenkins container (or directly on the VM if not running Jenkins as a Docker container). 

    1. Do this by creating and running a Jenkins job with the following for Bash script:

      $JAVA_HOME/bin/keytool -noprompt -genkeypair -alias saml-key \
    -keypass changeit \
    -storepass changeit \
    -keystore /var/jenkins_home/saml-key.jks  \
    -keyalg RSA -keysize 2048 -validity 3650 \
    -dname "CN=jenkins.example.cucloud.net"
 
 
  3. Be sure that the "SAML Plugin" is enabled: Jenkins → Manage Plugins
  4. Go to SAML plugin under Jenkins → Configure Global Security
  5. Under Access Control → Security Realm select "SAML 2.0", configure the following:
    1. IdP Metadata: Retrieve from either:
      1. https://shibidp.cit.cornell.edu/idp/shibboleth
      2. https://shibidp-test.cit.cornell.edu/idp/shibboleth
    2. IdP Metadata URL: leave blank
    3. Refresh Period: 0
    4. Display Name Attribute: urn:oid:2.16.840.1.113730.3.1.241
    5. Group Attribute: urn:oid:1.3.6.1.4.1.5923.1.1.1.5
    6. Maximum Authentication Lifetime: leave 86400
    7. Username Attribute: urn:oid:0.9.2342.19200300.100.1.1
    8. Email Attribute: leave blank
    9. Username Case Conversion: None
    10. Data Binding Method: HTTP-Redirect
    11. Logout URL: leave blank
    12. Advanced Configuration: leave unchecked
    13. Encryption Configuration: check
    14. Keystore Path: /var/jenkins_home/saml-key.jks
    15. Keystore Password: changeit
    16. Private Key Alias: saml-key
    17. Private Key Password: changeit
    18. Disable Signature Redirect Binding Auth Request: leave unchecked
  6. Grab the SP Metadata XML from the link labeled: "Service Provider Metadata" and save to a file. Cornell IdM will need this file.
  7. Don't hit the Save button in Jenkins just yet!!! If you do, you are on your way to switched your Jenkins to using SAML without having the Cornell IdP configured, and then you won't be able to login into Jenkins! 
    1. Instead, just close the window or navigate away without saving. Yes, this means you will probably have to re-enter all the above info again. Please let us know if you have a better way.
  8. Goto https://shibrequest.cit.cornell.edu/shibrequest/cornell/main.html and make a request for Shibboleth SP integration, providing the SP metadata you saved in the previous step.
  9. Once IdM has configured the SP in the IdP, continue with the steps below.
  10. In your browser session, re-enter the SAML settings above, but don't create a new key–use the same key you used the first time. This time you should Apply the changes in Jenkins, but DO NOT LEAVE this page.
  11. Now, open a different browser (not just a new browser window–open a completely different browser) and navigate to your Jenkins URL. If things have gone right, Cornell Two-Step Login should be invoked as part of the Jenkins login process.
  12. If you do not see the Cornell Two-Step Login process, working correctly, go back to your original browser and revert back to whatever authentication you were using before in the Jenkins security configuration. If you don't do that you will have lost access to your Jenkins deployment.
  • No labels