Configure Jenkins to use Azure AD Authentication w/ OpenID Connect

If you use Office 365, your subscription comes with Azure Active Directory, that you can use to integrate authentication with your applications. This is a quick guide on how to configure Jenkins to authenticate using Azure Active Directory.

  1. Go to portal.azure.com and open Azure Active Directory from the left side menu
  2. Click on “App registrations”
  3. Click on “To view and manage your registrations for converged applications, please visit the Microsoft Application Console
  4. In the Application Registration Portal this leads to, click on the “Add an application”. Give the application a name and unselect guided setup.

    azure-openid-config-1
    Give the application a name, note the Application ID and generate a password
  5. Note the Application ID, such as 1ae6997b-911c-4500-a3ae-e7ae278b8bc2
  6. Click the “Generate New Password” and note it. In our example, MJCKoJn9hG68xzhaaf7Pvw
  7. Click the “Add Platform” button, select Web from the pop-up that appears.
  8. Leave checked “Allow Implicit Flow”
  9. in Redirect URL, enter: https://JENKINS_HOSTNAME/securityRealm/finishLogin
  10. Click again on the “Add Platform button”. This time select “Web API”
  11. In Application ID URI field, also enter https://JENKINS_HOSTNAME/securityRealm/finishLogin

    Add the Web and Web API platforms
    Add the Web and Web API platforms
  12. Skip to the bottom of the page and enter https://JENKINS_HOSTNAME as the Home page URL
  13. Save
  14. Go to portal.azure.com and open Azure Active Directory from the left side menu
  15. Click on “App registrations”

    Locate the endpoint URLs in Azure AD configuration portal
    Locate the endpoint URLs in Azure AD configuration portal
  16. Click on “Endpoints” on the top menu
  17. Note the OAUTH 2.0 TOKEN ENDPOINT URL
  18. Note the OAUTH 2.0 AUTHORIZATION ENDPOINT URL
  19. Configure who will have access to Jenkins:
    1. Go to portal.azure.com and open Azure Active Directory from the left side menu
    2. Click on “Enterprise Applications”
    3. Click on “All Applications”. Find your new application and click on its name
    4. Click on “Users and groups”
    5. Add all the users you want to be able to access Jenkins
  20. Go to your Jenkins instance, Manage Jenkins, Manage Plugins, Available and install the OpenId Connect Authentication Plugin written by  Michael Bischoff
  21. Go to Manage Jenkins, Configure Global Security
  22. Check “Enable security” if not already checked.

    OpenID plug-in Azure AD configuration
    Jenkins OpenID Connect plug-in configuration for Azure
  23. In Access Control, Security Realm select “Login with Openid Connect”
  24. In Client ID, specify the Application ID noted above.
  25. In Client secret, specify the Generated Password noted above
  26. In Token server url, specify the OAUTH 2.0 TOKEN ENDPOINT URL noted above
  27. In Authorization server url, specify the OAUTH 2.0 AUTHORIZATION ENDPOINT URL noted above
  28. In User name field, specify preferred_username
  29. Leave Token Field Key To Check and Token Field Value To Check empty.
  30. In FullName field name, specify name
  31. In “Email field name”, specify email, though I could not get the plug-in to use this value to fill the Jenkins profile.
  32. In “Scopes”, specify openid email profile
    1. Scopes specifies what information you are requesting. openid is required for authentication and profile is required to be able to access the preferred_username field. More info here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-tokens
  33. In the Authorization section, check “Logged-in users can do anything”. Disable “Allow anonymous read access”
    1. You can configure more complex authorization later, for now check if OpenID actually works.
  34. Log out of Jenkins, it should now redirect you to Microsoft for authentication