Gliffy Diagram
Edit in Word
Plugin Information
This plugin lets your Jenkins users login to Jenkins through external OpenID providers, without using password.(Or in the OpenID terminology, this plugin makes Jenkins a relying party. The plugin has two somewhat different mode of operations:
Table of content
'On the side' modeAs of 2.1 this mode is off by default for new installations. Upgrades should retain the configuration as on. In this mode, the user will first associate OpenIDs with their user accounts (by clicking their name on the top right of the page and then "Configure", after logging in normally):
This will initiate a wizard that allows the user to associate OpenIDs to this account. Once this is setup, the user can login to his/her account with this OpenID, without remembering the password:
In this mod "on the side" mode, OpenID is just used as a means to bypass the use of password. SSO modeThis mode makes Jenkins completely rely on single external OpenID provider as the user realm. Use of OpenID in this mode is no longer just a convenience — you have to "belong" to the configured OpenID provider to be able to login to Jenkins. First, the administrator will configure the system and designate the OpenID provider:
Here you need to specify which OpenID provider you'll be delegating authentication to. You do this either by specifing the "OpenID Provider Endpoint URL" (as defined by the spec), or by specifying one OpenID identifier and let Jenkins figure out where the OP Endpoint URL is. The latter is often easier as it can be sometimes rather complicated to find out what the actual OP Endpoint URL is. Once Jenkins is configured this way, the user is automatically sent to this OpenID provider whenever Jenkins determines that the user needs to be authenticated. This includes accessing a protected page and clicking a login link, and it happens without the user clicking a "login with OpenID" button. Combined with the option in typical OpenID providers to bypass the confirmation dialog after the first login, this creates a single sign-on experience where the user never have to explicitly login to access Jenkins. Automatic Read AccessBy default, users who authenticate via OpenID have no rights, not even the right to see the Jenkins GUI. To grant a right to all OpenID users, add a user "authenticated" and grant them the desired right. Typically this will be Overall/Read. Team extension supportThis implementation supports the OpenID team extension to retrieve group membership information from OpenID providers.
SSO mode configuration ideas
Working with Google Apps
Google is phasing out OpenID 2.0 support and will turn off OpenID logins by April 20th, 2015. You should migrate to the new google-login plugin which also supports Google Apps domain restriction. Release HistoryVersion 2.1.1 (Oct 2, 2014)
Version 2.1 (May 15, 2014)
Version 2.0 (May 14, 2014)
Version 1.8 (Nov 27, 2013)
Version 1.7 (Jul 24, 2013)
Version 1.6 (Jan 17, 2013)
Version 1.5 (Jul 11, 2012)
Version 1.4 (Oct 27, 2011)
Version 1.3 (Mar 31, 2011)
Version 1.2 (Mar 27, 2011)
Version 1.1 (Feb 11, 2011)
Version 1.0 (Feb 7, 2011)
|
OpenID plugin
Skip to end of metadata
Go to start of metadata
Comments (12)
Dec 14, 2011
Vivek Ayer says:
This works great mostly. I've set up my web server to forward /jenkins to 8080:/...This works great mostly. I've set up my web server to forward /jenkins to 8080:/jenkins via an apache proxy. One annoyance with this plugin is after I login with openid from /jenkins/login, my URL goes to 8080:/jenkins whereas using the internal jenkins login method honors the proxy url and takes me back to /jenkins. Would this be a bug with this plugin? Thanks
Apr 30, 2013
Dan Zieber says:
I'm using this with the Google SSO and would like to be able to create users ahe...I'm using this with the Google SSO and would like to be able to create users ahead of time (before their first login) to setup permissions. Is their any prior art out there?
Jun 01, 2014
Konstantin Trunin says:
This plugin is not working with Google Apps accounts! When I choose to logi...This plugin is not working with Google Apps accounts!
When I choose to login it displays Google's page with an error message:
400. That’s an error.
OpenID auth request contains an unregistered domain: http://<domain>/securityRealm/finishLogin
Please fix it!
Jun 04, 2014
Mark Abraham says:
That is because Google has deprecated OpenID authentication - see https://d...That is because Google has deprecated OpenID authentication - see https://developers.google.com/+/api/auth-migration#timetable. Use another OpenID provider, or another form of authentication.
Jun 04, 2014
Konstantin Trunin says:
Thanks for reply! Then why this plugin tells that it works with Google? An...Thanks for reply!
Then why this plugin tells that it works with Google?
And what if I don't want to use another provider?
Google suggested to use new protocols - can you support it?
Aug 25, 2014
junaid shaikh says:
I am getting this error in maven eclipse when i imported your plugin. any sugges...I am getting this error in maven eclipse when i imported your plugin. any suggestion.
Missing artifact org.jenkins-ci.main:jenkins-war:war:1.509
Oct 02, 2014
Konstantin Trunin says:
re: Version 2.1.1 (Oct 2, 2014) * Fixed the escape hatch sys...re:
Version 2.1.1 (Oct 2, 2014)
* Fixed the escape hatch system property to disable the OpenID Teams extension: -Dhudson.plugins.openid.impl.TeamsExtension.disable=true
* Added some alternative email attributes
* Fix proxy settings for discovery
When will you fix the bug with Google accounts?
Oct 23, 2014
jburrows Burrows says:
Ditto on Konstantin's point, is there an expected change to support the newer Oa...Ditto on Konstantin's point, is there an expected change to support the newer Oauth methodology for Google Apps since they deprecated the OAuth 2.0 method in April of 2014 to be completely disabled in April 2015? Currently with Google Apps, any new servers trying to use SSO authentication with the older method cannot register, therefore cannot use the OpenID plugin for SSO Google App authentication.
Thanks,
JB
Nov 04, 2014
Benoit B says:
Anything ?Anything ?
Nov 21, 2014
Might Wolf says:
+1 on adding support for OAuth 2.0 login (OpenID Connect). As it stands now,...+1 on adding support for OAuth 2.0 login (OpenID Connect). As it stands now, new users can't use this plugin, and current users will suddenly have their logins stop working next year with no way to get inside their jenkins instances.
The changes needed don't look overly complicated, just updating 2 endpoint urls here: https://developers.google.com/+/api/auth-migration#oauth2login, and potentially two more here: https://developers.google.com/+/api/auth-migration#email
Can we help adding the support?
Dec 10
junaid shaikh says:
I am using a custom openID provider. I have configured CAS as an openID provider...I am using a custom openID provider. I have configured CAS as an openID provider which uses LDAP as a user base. openid plugin is able to discover the URI successfully. However after successful authentication on the CAS login page it says
INFO \[org.jasig.cas.support.openid.authentication.principal.OpenIdService\] - <Validated openid ticket> ERROR \[org.openid4java.server.ServerManager\] - <Invalid OP-endpoint configured; cannot issue authentication responses.{cas.securityContext.casProcessingFilterEntryPoint.loginUrl}> java.net.MalformedURLException: no protocol: {cas.securityContext.casProcessingFilterEntryPoint.loginUrl}Dec 10
junaid shaikh says:
I am using a custom openID provider. I have configured CAS as an openID provider...I am using a custom openID provider. I have configured CAS as an openID provider which uses LDAP as a user base. openid plugin is able to discover the URI successfully. However after successful authentication on the CAS login page it says
INFO \[org.jasig.cas.support.openid.authentication.principal.OpenIdService\] - <Validated openid ticket> ERROR \[org.openid4java.server.ServerManager\] - <Invalid OP-endpoint configured; cannot issue authentication responses.{cas.securityContext.casProcessingFilterEntryPoint.loginUrl}> java.net.MalformedURLException: no protocol: {cas.securityContext.casProcessingFilterEntryPoint.loginUrl}Add Comment