CAS1 Plugin

Skip to end of metadata
Go to start of metadata

Plugin Information

Plugin ID cas1 Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
1.0.1 (archives)
Mar 09, 2010
Source Code
Issue Tracking
Open Issues
J. David Beutel (id: david_beutel)
Usage Installations 2014-Nov 112
2014-Dec 116
2015-Jan 108
2015-Feb 106
2015-Mar 119
2015-Apr 127
2015-May 114
2015-Jun 122
2015-Jul 112
2015-Aug 108
2015-Sep 115
2015-Oct 115


This plugin lets Jenkins authenticate users via your organization's Central Authentication Service (CAS), for single-sign-on.
It adds a Security Realm for the CAS protocol version 1 (plain text), which should be compatible with all versions of CAS. It also allows you to configure a Groovy script that determines a user's authorities/roles/groups. This script could work by parsing custom extensions in your CAS validation response, such as LDAP affiliation details.


Basic Setup

  1. if your CAS restricts the services for which it provides authentication, register your Jenkins service URL with your CAS
  2. Manage Jenkins > Manage Plugins > Available > install CAS1 plugin
  3. Manage Jenkins > Configure System > Enable security
  4. select the CAS protocol version 1 Security Realm
  5. input the URL of your CAS server and the host name/port number of your Jenkins server
  6. click focus on another field so AJAX will validate your input
  7. heed warnings on your input, if any
  8. click the Save button at the bottom if there are no warnings

Advanced Setup

  1. click the Advanced... button under CAS protocol version 1
  2. input a Groovy script that determines the list of groups/roles of any given user
  3. input an example validation response from your CAS
  4. click the Test Script and confirm the list of groups/roles your script produced
  5. select "Project-based Matrix Authorization Strategy" or "Matrix based security" and add groups matching roles returned by your script
  6. be sure to give yourself the Administer permission
  7. click the Save button at the bottom if there are no warnings
The example below is for a custom CAS server validation response, containing extra details from LDAP, including affiliation. (The last two lines of the Test Validation Response is actually a single line displayed as wrapped by the narrow browser window.) For cut-and-paste, this example is also in the help text (? icon).

Another example script determines roles from a standard validation response and ad hoc lists of users. It can also be combined with the above example script.
def username = response.readLines()[1].trim()
roles += [
    'hudson-adm': ['jbeutel', 'jdoe', 'rsmith'],
    'developer': ['jbeutel', 'jdoe', 'sclaus', 'ebunny'],
    'tester': ['itokugawa', 'hmatsu'] // etc...
].collect { role, names -> names.contains(username) ? role : [] }.flatten()
return roles


  • This Security Realm authenticates all pages; it has not implemented anonymous access. So, the distinction between the Authorization choices of "Logged-in users can do anything" and "Anyone can do anything" is lost; the latter becomes the former. Likewise, for the Authorization choices of "Matrix based security" and "Project-based Matrix Authorization Strategy", the mandatory "Anonymous" user/group is superfluous and redundant with the build-in "authenticated" role.
  • It does not support CAS protocol version 2 (XML), including proxies or attributes. (It looks like a plugin for all that could be implemented with just the Acegi library that comes with Jenkins, but Acegi does not seem to support version 1 of the CAS protocol, so this plugin includes the Java CAS client library instead.)
  • The plugin will initiate authentication on any page. If your CAS restricts which pages it is willing to authenticate, then your users may need to start on one of those pages of Jenkins.

Change Log

Version 1.0.1 (2010 Mar 9)

  • testing Update Center

Version 1.0 (2010 Feb 26)

  • initial release


plugin-user plugin-user Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.