CAS Plugin

Skip to end of metadata
Go to start of metadata

Plugin Information

Plugin ID cas-plugin Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Nov 10, 2012
Source Code
Issue Tracking
Open Issues
Fabien Crespel (id: fcrespel)
Usage Installations 2013-Apr 105
2013-May 130
2013-Jun 149
2013-Jul 167
2013-Aug 166
2013-Sep 189
2013-Oct 187
2013-Nov 199
2013-Dec 200
2014-Jan 211
2014-Feb 235
2014-Mar 254

This plugin enables use of Jasig CAS as an authentication source, for single sign-on and single sign-out support.

This plugin is meant to replace the CAS1 Plugin by providing new features along existing ones, while adding support for more protocols (e.g. CAS 2.0 and SAML 1.1)


Basic Setup

  1. Install the plugin from Manage Jenkins > Manage Plugins > Available > CAS Plugin
  2. Go to Manage Jenkins > Configure System > Enable Security and select CAS (Central Authentication Service) as the Security Realm
  3. Next to CAS Server URL, enter the base URL to your CAS server, e.g.
  4. Next to CAS Protocol, select the protocol to use to communicate with CAS, e.g. SAML 1.1 if you are using CAS 3.x or higher.
  5. Further down in the page, ensure the Jenkins URL is valid and can be reached by users, as it will be used by CAS to redirect back to Jenkins after authentication.
  6. If there are no warnings, click the Save button at the bottom and attempt logging in.

Advanced Setup

Additional configuration options are available under the Security Realm section:

  • Force Renewal: when checked, single sign-on is disabled: even if a CAS session is already open, the user will have to provide credentials again to confirm his identity.
  • Enable Single Sign-Out: when checked, single sign-out is enabled: whenever the user logs out of CAS (e.g. when logging out of another CAS-enabled application), the corresponding Jenkins session will be destroyed and the local user logged out as well. Note that for this to work, the CAS server must be able to communicate with Jenkins using the service URL that was passed to it during login.

Several protocols implemented by CAS are available in the CAS Protocol dropdown (click the Advanced... button to reveal more options):

  • CAS 1.0: a text-based legacy protocol. Custom extensions may provide support for roles, which can be parsed with a Groovy script specified in Roles Validation Script.
  • CAS 2.0: a XML-based protocol. It supports Proxy Tickets, allowing external applications already secured with CAS to authenticate in Jenkins without requiring user input or password. Custom extensions may provide support for attributes.
  • SAML 1.1: a XML-based protocol. It fully supports attributes out-of-the-box, without requiring custom extensions. This is the recommended protocol for CAS 3.x and higher.

Attributes are an easy (and recommended) way to add full name and email address information to an authenticated user, as well as roles/groups membership. CAS 1.0 response parsing with a custom Groovy script is made available as a legacy option for backward compatibility with the CAS1 Plugin.


Access from external clients

When using the CAS plugin for authentication, you cannot use a regular username/password for remote authentication into Jenkins. This is by design, as the CAS protocol does not allow "direct" authentication and works with secure redirections, which are not compatible with remote calls such as SVN or GitHub hooks.

Instead, you should use the user's API token as the password; you can find it by going to the Configuration page of the Jenkins user you intend to use for external access. This API token does not expire and you may regenerate it as you need.

See the following page for more information: Authenticating scripted clients


Version 1.1.1

  • Redirect to origin URL after authentication (instead of always showing Jenkins home page).
  • Show custom error page with proper "Try again" link in case of login failure (e.g. due to an invalid ticket).
  • Removed unused AspectJ JARs, reducing the overall plugin size (thanks to Jozef Kotlar).

Version 1.1.0

  • Support for CAS 2.0 Proxy Tickets, allowing external applications already secured with CAS to authenticate in Jenkins without requiring user input or password.

Version 1.0.0

  • Initial release of the new CAS Plugin
  • Multiple protocols support: CAS 1.0, CAS 2.0, SAML 1.1
  • Custom CAS 1.0 response parsing support
  • CAS 2.0 and SAML 1.1 attributes support
  • Single Sign-Out support
  • Jenkins API Token support (no conflict)


plugin-user plugin-user Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Add Comment