Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

SSO into Jenkins while managing users in Atlassian Crowd

Jenkins and Crowd Integration.png

 

Jenkins manages and controls software delivery processes throughout the entire lifecycle, including build, document, test, package, stage, deployment, static code analysis, and much more. To make Jenkins application access easier and provide better security we have an SSO module that can be easily deployed on Jenkins platforms with some most important features like Just-In-Time User & Group Provisioning, Auto Redirect to IdP, Signing & Encryption, Custom User Attribute Mapping, Single Logout, Manual Group & Role Mapping and many more. 

 

Atlassian Crowd is a powerful tool that enables users to create sessions for multiple Atlassian products like Jira, Confluence, Bitbucket. The Crowd is a centralised identity for access management application that manages the users from various directories like Active Directory, LDAP, Open LDAP, Microsoft Azure Active Directory for connected applications. 

 

Now, enterprises are looking to delegate user authentication for the applications from Crowd to central IAM (Identity & Access Management) applications for better security. But Crowd is still required to manage users and permissions. This use-case is possible with the help of connectors we have developed for these Atlassian applications like Jira, Confluence, and Bitbucket. Jenkins, however, is a non-Atlassian application, thus integrating this flow with Jenkins is difficult. 

 

Atlassian Application and Jenkins.png

How does the miniOrange plugin handle this use case?

We have developed a Jenkins Crowd SSO Connector capable of creating user sessions by reading the Crowd session. Like any other Atlassian application like Jira, Confluence and Bitbucket, you can manage groups and permissions from the Crowd. You can authenticate to the Crowd via SAML SSO using the Crowd SAML SSO plugin. With the help of a connector, you can invoke SSO from Jenkins itself. You do not need to login into Crowd explicitly. 

 

How does it work?

Crowd SAML SSO Plugin acts as a SAML Service Provider and is used to enable trust between Jenkins and the central IAM applications. Crowd SAML SSO plugin takes care of the SAML Request, SAML response, and user session management at the Crowd end. Once the Crowd session is created, Jenkins reads this session and the user is logged in to Jenkins. Users can invoke SSO from Jenkins itself.

Here, IAM will perform the user authentication. The crowd will be used to manage users and their groups (permissions) for all the connected applications.

 Also, with this flow, end-users will experience a seamless login and won't notice that the SSO request and response passes through the Crowd Server.

 


Let us understand the Workflow!

  1. The user tries to access the Jenkins application.
  2. For authentication, the users would get forwarded to the IAM application's login page.
    1. The Jenkins Crowd SSO Connector will redirect users to the Crowd SAML plugin.
    2. The Crowd SAML plugin will forward the user to the IAM application for authentication.
  3. Once the authentication is successful, the user will be redirected back to the Jenkins application and logged in.
  1. IAM sends a response back to the Crowd SAML plugin.
  2. Crowd SAML plugin validates the user creating the user session, and redirects the user to the respective application form where the SSO was invoked.
  3. Users will be granted access to Jenkins based on their groups and applications configured on Crowd.

 

jenkins crowd SSO connector.png

 

What are the Key Benefits? 

  1. There is only one set of SAML configurations for all the Atlassian & Non-Atlassian applications.
  2. User authentication moved to central IAM without losing any of the existing user permissions.
  3. Users will be able to access all the connected applications using their IAM credentials.
  4. This method makes it simple to add an extra security layer, such as MFA, on top of the SSO, which was not available while utilising Crowd for SSO.

 

What do you think of this solution? Do you think this would help centralize authentication for your users? Drop us a mail at info@xecurify.com or raise a ticket here to talk to us.

 

0 comments

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Confluence

Wouldn't it be nice to have this Jira-Confluence integration?

...ossibility became true in a not too far future, project/space access would be left in the hands of all team members. Don't get me wrong: I'd love it! However, it would also be nice to have a way in which j...

60 views 0 1
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you