This plugin lets your Jenkins users login to Jenkins through external OpenID providers, without using password.(Or in the OpenID terminology, this plugin makes Jenkins a relying party.
The plugin has two somewhat different mode of operations:
This mode is on by default as soon as you install the plugin. In this mode, the user will first associate OpenIDs with their user accounts (by clicking their name on the top right of the page and then "Configure", after logging in normally):
This will initiate a wizard that allows the user to associate OpenIDs to this account. Once this is setup, the user can login to his/her account with this OpenID, without remembering the password:
In this mod "on the side" mode, OpenID is just used as a means to bypass the use of password.
This mode makes Jenkins completely rely on single external OpenID provider as the user realm. Use of OpenID in this mode is no longer just a convenience — you have to "belong" to the configured OpenID provider to be able to login to Jenkins.
First, the administrator will configure the system and designate the OpenID provider:
Here you need to specify which OpenID provider you'll be delegating authentication to. You do this either by specifing the "OpenID Provider Endpoint URL" (as defined by the spec), or by specifying one OpenID identifier and let Jenkins figure out where the OP Endpoint URL is. The latter is often easier as it can be sometimes rather complicated to find out what the actual OP Endpoint URL is.
Once Jenkins is configured this way, the user is automatically sent to this OpenID provider whenever Jenkins determines that the user needs to be authenticated. This includes accessing a protected page and clicking a login link, and it happens without the user clicking a "login with OpenID" button.
Combined with the option in typical OpenID providers to bypass the confirmation dialog after the first login, this creates a single sign-on experience where the user never have to explicitly login to access Jenkins.
By default, users who authenticate via OpenID have no rights, not even the right to see the Jenkins GUI. To grant a right to all OpenID users, add a user "authenticated" and grant them the desired right. Typically this will be Overall/Read.
This implementation supports the OpenID team extension to retrieve group membership information from OpenID providers.
This plugin supports Google Apps as an OpenID provider. Select "Google Apps SSO (with OpenID)" in the UI and type in your domain name. In this way, users must have a valid user account on your domain to be able to login.
Skip to end of metadata Go to start of metadata