Setting up Jenkins with Azure AD Authentication

Configuring Azure AD

Run the following command in CLI to generate a service principal:

az ad sp create-for-rbac --name="{NAME}" --role="Contributor" --scope="/subscriptions/{SUBSCRIPTION_ID}" --years=100

Save the output generated, as you’ll use it for configuration in Jenkins.

Set the Reply URL to https://YOURHOST/securityRealm/finishLogin

Set Required Permissions in Azure Active Directory to:

  • Application Permissions (Read Directory Data)
  • Delegated Permissions (Read Directory Data)

Click on ‘Grant permissions’.

If planning to use an Azure AD group for authorization, create one now.

Configuring Jenkins

Download the ‘Azure AD’ plugin, and restart after installation.

Go to Manage Jenkins → Configure Global Security.

Select ‘Enable Security’ if it isn’t already selected.

Under ‘Security Realm’, select ‘Azure Active Directory’, and fill the information:

  • Client ID – ‘appId’
  • Client Secret – ‘password’
  • Tenant – ‘tenant’

Use the button to verify the application.

Set Authorization to ‘Azure Active Directory Matrix-based security’.

Set the Group to be the newly created, and assign the appropriate permissions.

Verify by logging out and logging back in as Azure AD user.

Troubleshooting

If you accidentally lock yourself out after enabling Azure AD, do the following:

SSH into the server.

modify the config.xml file

sudo nano /var/lib/jenkins/config.xml
  • For the useSecurity item, change to ‘false’
  • Remove authorizationStrategy and securityRealm sections.

Restart Jenkins:

sudo systemctl restart jenkins

Jenkins is now completely unprotected – so continue working on whatever security strategy you were working on.

Leave a Reply

Your email address will not be published. Required fields are marked *