Configuring SSO for Jenkins using WSO2 IS 5.10

First it was a fix to an issue, but it became a beloved feature!

Tip: In a rush? Start from the section! “Hey Lazy SysAdmin, who needs SSO Configured on Jenkins, Follow from here!!

Drake Approves!

Start of a bad dream!

‘We can not log in to our Production Jenkins Server, it gives an HTTP 500 error!’

Errr, again a complain! Product release team is on full throttle sending Emails cc’ing their friendly neighbourhood Sys Admin. They did not forget to add an image of that unpleasant 500 error as well. Now I can not say It works for me!!

HTTP 500 Error observed when trying to log to the Jenkins

Why can’t these systems work without breaking while I am trying to watch some conspiracies about Covid-19!!

Root Cause analysis

“Why is our Production Jenkins server giving this error? and when this is happening?” I thought while forcing down the idea to restart the Jenkins Master Service.

First I checked the Resource Consumption of the Jenkins Server, CPU, Load Average, Disk and RAM. Although the RAM seemed to be consumed a bit higher it was not enough to be as identified as the culprit.

The issue arises when you are trying to log in, if you are logged in you do not face any issue with navigating through the Jobs or Configs. The issue might lay with the LDAP server! (Light bulb moment!)

Our Jenkins users were authenticated using Jenkins LDAP plugin which queries our LDAP mirrors directly and authorised using the Project-based Matrix Authorization Strategy. I checked the resource consumption in the LDAP mirror and , boy was it high! The LDAP server showed 300% CPU utilisation on AWS Cloudwatch metrics. LDAP logs showed that it is being queried by our Jenkins Master at an extensive level which led to the overloading.

Conclusion up to now;

When a user tries to log in to Jenkins, jenkins sends those credentials to LDAP server for authentication and the LDAP server can not process the query and hangs. Jenkins server waits for for login token form the LDAP end and eventually it times out causing a Time out error (504) or Internal Server error (500).

Next Step:

Now we need to protect the LDAP server from extensive requests initiated by the Jenkins master. Fortunately I work at WSO2 Pvt Ltd and we do have own WSO2 IS Server (Surprise!!). Instead of hitting the LDAP server directly we can use the WSO2 IS for authentication and WSO2 IS will handle the load ,cache and serve the SAML authentication tokens.

Hey Lazy SysAdmin, who needs SSO Configured on Jenkins, Follow from here!!

Since We used the direct LDAP- Jenkins integration, now we need to use a new Jenkins plugin and believe me saml-plugin does the job and it is pretty straight forward too!

Steps:

  • Log in to the Carbon console of your wso2 IS server.
  • Main > Service Providers > Add
  • Add a Service Provider Name, and optional description and click Register.
  • In the newly created Service Provider, go to Claim Configuration > click Define Custom Claim Dialect and below Claims and make sure to check the Requested Claim for each.

displayName -> http://wso2.org/displayName

groups -> http://wso2.org/role

email -> http://wso2.org/emailaddress

Service Provider — Claim Configurations
  • Once those are updated go to the “Inbound Authentication Configuration” section > SAML2 Web SSO Configuration.
  • We need to add a new issuer here. It will open “Register New Service Provider” window. Below are the fields that we need change, add.
  • Issuer : https://www.yourjenkins.com/jenkins/securityRealm/finishLogin (Replace this with your Jenkins URL)
  • Assertion Consumer URLs : https://www.yourjenkins.com/jenkins/securityRealm/finishLogin (Replace with your jenkins URL)
  • Enable below options and keep the default values for other fields:
  • Check “Enable Single Logout” option.
  • Check “ Enable Attribute Profile” and “Include Attributes in the Response Always”
  • Check “Enable IdP Initiated SSO”.
  • While you are at the “Register New Service Provider” page you can download IDP metadata. We will need these data when we configure the SAML Plugin in the Jenkins End.
Download IDP Metadata (This will download an XML file)
  • Now we can save the Service Provider.
Register New Service Provider Window

Now We are almost done with the configurations on the IDP side. Let’s head over to the Jenkins Master.

In the Jenkins Master,

  • Go to “Manage Jenkins” > “Configure Global Security”
  • Check “Enable security”
  • Under “Security Realm” Click the SAML 2.0 Radio button.
  • Now we can config the SAML plugin as well as the Service Provider in the WSO2 IS.
  • In the IDP Metadata Field, Copy and pasted the Metadata you downloaded from your IS, When you were configuring the Service Provider.
  • Since we added the metadata manually no need to fill the IDP Metadata URL.
  • Refresh Period = 0
  • Display Name Attribute = displayName
  • Group Attribute = groups
  • Username Attribute = email
  • Email Attribute = email
  • Data Binding Method = HTTP-Redirect
  • Logout URL, This is optional.
A Picture can say a thousand words ;)
  • Now plugin for Authentication is configured, You can use the same “Project-based Matrix Authorisation Strategy” and the SAML responses should work just fine with Authorisation.

After-Effect

We do have several Jenkins Servers and we enabled SSO for all of them, which resulted in way less number of entering the Username and Password for the Enduser.

Less Load to our LDAP servers, Less Password typings to Endusers, non-interrupted service! Win-Win-Win situation I say!

This all for now, and next we will be discussing about architecting a High available AWS env to host WSO2 IS using Terraform and Configuring WSO2 IS on it and then using that IS Cluster to enable SSO for a Thinkific powered school site.

Have questions? Find me on LinkedIn!

--

--

Grr, Did you try restarting!

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store