You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

  1. Make a backup of your Jenkins deployment.
  2. Create a keypair inside the Jenkins container (or directly on the VM if not running Jenkins as a Docker container). 

    1. Do this by creating and running a Jenkins job with the following for Bash script:

      $JAVA_HOME/bin/keytool -noprompt -genkeypair -alias saml-key \
    -keypass changeit \
    -storepass changeit \
    -keystore /var/jenkins_home/saml-key.jks  \
    -keyalg RSA -keysize 2048 -validity 3650 \
    -dname "CN=jenkins.example.cucloud.net"
  3. Be sure that the "SAML Plugin" is enabled: Jenkins → Manage Plugins
  4. Go to SAML plugin under Jenkins → Configure Global Security
  5. Under Access Control → Security Realm select "SAML 2.0", and configure the following:
    1. IdP Metadata: Retrieve from either:
      1. https://shibidp.cit.cornell.edu/idp/shibboleth
      2. https://shibidp-test.cit.cornell.edu/idp/shibboleth
    2. IdP Metadata URL: leave blank
    3. Refresh Period: 0
    4. Display Name Attribute: urn:oid:2.16.840.1.113730.3.1.241
    5. Group Attribute: urn:oid:1.3.6.1.4.1.5923.1.5.1.1
      1. NOTE: You will need to let IdM know that you would like to use Groups. That attribute is not provided by default. See IdM notes below.
    6. Maximum Authentication Lifetime: leave 86400
    7. Username Attribute: urn:oid:0.9.2342.19200300.100.1.1
    8. Email Attribute: leave blank
    9. Username Case Conversion: None
    10. Data Binding Method: HTTP-Redirect
    11. Logout URL: leave blank
    12. Advanced Configuration: leave unchecked
    13. Encryption Configuration: check
    14. Keystore Path: /var/jenkins_home/saml-key.jks
    15. Keystore Password: changeit
    16. Private Key Alias: saml-key
    17. Private Key Password: changeit
    18. Disable Signature Redirect Binding Auth Request: leave unchecked
  6. Now, be very careful with the following steps:
    1. Use the "Save" button to save that SAML configuration. Don't use "Apply"! Also, be sure to stay on this configuration page.
    2. Grab the SP Metadata XML from the link labeled: "Service Provider Metadata" and save to a file. Cornell IdM will need this file.
    3. Now, go back to the top of the page and switch back to your previous form of security. Hit "Save" and "Apply". The reason for this is that you can't fully switch to SAML until you hear back from Cornell IdM, and you don't want a Jenkins restart to switch to SAML without you being ready for it.
  7. Goto https://shibrequest.cit.cornell.edu/shibrequest/cornell/main.html and make a request for Shibboleth SP integration, providing the SP metadata you saved in the previous step.
  8. Once IdM has configured the SP in the IdP, continue with the steps below.
  9. In a browser session, re-enter the SAML settings above, but don't create a new key–use the same key you used the first time. This time you should Apply the changes in Jenkins, but DO NOT LEAVE this page.
  10. Now, open a different browser (not just a new browser window–open a completely different browser) and navigate to your Jenkins URL. If things have gone right, Cornell Two-Step Login should be invoked as part of the Jenkins login process.
  11. If you do not see the Cornell Two-Step Login process, working correctly, go back to your original browser and revert back to whatever authentication you were using before in the Jenkins security configuration. If you don't do that you will have lost access to your Jenkins deployment.
  • No labels