This plugin enables use of CAS (Central Authentication Service) as an authentication source for Jenkins, with single sign-on and single sign-out support.
Additional configuration options are available under the Security Realm section:
Several protocols implemented by CAS are available in the CAS Protocol dropdown (click the Advanced... button to reveal more options):
Attributes are an easy (and recommended) way to add full name and email address information to an authenticated user, as well as roles/groups membership. CAS 1.0 response parsing with a custom Groovy script is made available as a legacy option for backward compatibility with the CAS1 Plugin.
When using the CAS plugin for authentication, you cannot use a regular username/password for remote authentication into Jenkins. This is by design, as the CAS protocol does not allow "direct" authentication and works with secure redirections, which are not compatible with remote calls such as SVN or GitHub hooks.
Instead, you should use the user's API token as the password; you can find it by going to the Configuration page of the Jenkins user you intend to use for external access. This API token does not expire and you may regenerate it as you need.
See the following page for more information: Authenticating scripted clients
When using Jenkins behind a reverse proxy, depending on configuration the URL users get redirected to after authentication may be wrong. If this is the case:
If Jenkins systematically fails to validate SAML 1.1 tickets, make sure to check whether the system clock of your Jenkins and CAS servers are synchronized.
Using normal username/password is not possible from external/scripted clients when using CAS.
This issue (JENKINS-20064) is fixed in Jenkins 1.556 and higher, provided that the user logged in through the web interface at least once.
If Jenkins is behind a reverse proxy, it may not be able to detect its own URL by itself. In this case, you need to manually configure the Jenkins URL.
Skip to end of metadata Go to start of metadata