Plugin Information View Azure AD on the plugin site for more information. Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:
Setup In Azure Active Directory
- Open Azure Active Directory, in
Properties, copy Directory ID, it will be used astenantin Jenkins. - Register an application in AAD, copy the
Application ID, it will be used asClient ID. - In Application setting page, add a Reply URL http://{your_jenkins_host}/securityRealm/finishLogin. Make the variable jenkinsURL set as http://{your_jenkins_host} for the file jenkins.model.JenkinsLocationConfiguration.xml in the $JENKINS_HOME folder.
- In Application setting page, click
Keys, generate a new key, copy thevalue, it will be used asClient Secretin Jenkins. - In Application setting page, click
Required Permissionsand selectWindows Azure Active Directory, then selectRead directory datapermissions in Application permissions section. - Click
Grant Permissions. If you are not an admin in your tenant, please contact admin to grant the permissions which declared asrequire admininEnable Accesspage. Wait for the permissions taking effects.
Setup In Jenkins
Click Manage Jenkins in the left menu, then click Configure Global Security, check Enable security
Enable Azure Authentication
To enable Azure Authentication, check Azure Active Directory and fill in the credential.
Click Verify Application to make sure your input is valid.
Enable Azure Authorization
To enable Azure Authentication, check Azure Active Directory Matrix-based security
FAQ
Q: How to recovery if Jenkins keeps failing during the login phase?
A: You can disable the security from the config file (see https://wiki.jenkins.io/display/JENKINS/Disable+security)
Q: Why getting a error "insufficient privileges to complete the operation" even having granted the permission?
A: It takes rather long time for the privileges to take effect, which could be 10-20 minutes. So just wait for a while and try again.
Change Log
0.3.4 (2019-04-30)
0.3.3 (2019-04-11)
- Support named groups and users
0.3.2 (2019-01-18)
- Fix seed authentication issue
0.3.1 (2018-09-19)
- Upgrade Azure commons to 0.2.7
- Use UPN as Jenkins user id
0.3.0 (2018-02-09)
Jenkins under version 2.60 is not supported any more!
- Upgrade the dependency of matrix-auth to 2.2
0.2.0 (2018-01-18)
- Support project-based authorization
- Improve security
0.1.1 (2017-12-07)
- Fixed the CSRF protection issue.
0.1.0 (2017-12-01)
- Initial release
12 Comments
Matt Ralph
Thanks for the awesome plugin! Are there any instructions on how to do the Azure Active Directory App Registration setup using Azure CLI? We would like to automate this end-to-end, but docs on how to grant the required permissions to a registered app, seem to be absent on the Azure side
Cheers
Badal Kotecha
I have documented the complete steps in my blog http://cloud.badalkotecha.com/2018/09/jenkins-role-based-access-control-rbac-with-azure-ad-step-by-step.html
Jie Shen
You can check this doc for Azure CLI commands to manage Azure Active Directory. Commands az ad app create and az ad app update may be suitable for your case.
tony yin
Dear All,
does anyone know whether there has some way out that if we cannot do step 6 due that we do not find the right team/person as admin? I found that most of the apps integrate with AAD do not need 'Read directory data' privilege.
any reply are highly appreciated.
Tony
Jie Shen
For now, you cannot skip the step. I will investigate whether we can use it without the privilege in next version.
tony yin
Hi, Jie Shen,
Thanks. We just need do authentication with AAD. "Sign in and read user profile" and "Read all users' basic profiles" privileges might be enough. These 2 privileges are already delegated to the application owners.
Just in case you need.
thanks in advance.
Tony
Ole Tolshave
Hello and thanks for a great plugin!
I have been using this plugin without any issues for about 2 months. Yesterday without any changes I can no longer log on at all to Jenkins. I can still log on with the same Azure account to both the azure portal and other resources protected by SSO.
I get the jenkins error page and this stakc trace, when I log on using Azure SSO:
Stack trace
...
Caused: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"typ":"JWT","alg":"RS256","x5t":"i6<removed>Y","kid":"i6<removed>lY"} due to an unexpected exception (javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching login.microsoftonline.com found.) while obtaining or using keys from JWKS endpoint at https://login.microsoftonline.com/common/discovery/keys..
It kind of sounds like certificate has expires, because it just started failing without any changes on my side. Are anybody else seeing this?
/Ole
Azure DevOps
thanks for reporting the issue. we'll look at it after back from some national holiday. meanwhile, could you pls try to open an issue at JIRA (https://issues.jenkins-ci.org) with component=azure-ad-plugin for better tracking? thanks.
Ole Tolshave
Thank you - issue JENKINS-53859 have been created: JENKINS-53859 - Getting issue details... STATUS .
Badal Kotecha
I am facing multiple challenges with this plugin when invoking Jenkins API remotely when RBAC is configured with this plugin
Are there ways to get around this?
Badal
Jie Shen
Related Jira issue JENKINS-54115 - Getting issue details... STATUS
dave goodine
The workaround on this issue (adding 2 users to the azure ad matrix) allows me to use jenkins job builder (https://docs.openstack.org/infra/jenkins-job-builder/) with our jenkins master using azure ad plugin.