How Does Okta Integrate With Jenkins?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how does octa integrate with jenkins [Music] you might be using local users in a jenkins controller over time you find that becomes unmanageable because most people have their identity defined within ldap or active directory or some other type of system but even at that point that level of identity management such as ldap and active directory can start to fall down because now i want to be able to manage access to my applications in one unified environment that's where a tool like octa comes into play what we're going to talk about in this video is how we're going to integrate octa with jenkins so here is today's starting point i have a jenkins lts controller version 2.303.2 when this controller was installed it was installed using install suggested plugins now i also have an octa account i don't have a full octa account but i have an account that was set up through the octa developer portal and it gives me a preview sandbox but in order to go through this developer edition within the sandbox that's all i really need so if you want to follow along you can do this yourself you'll also just need to sign up for an account at developer.octa.com so the first thing that we're going to need to do is we need to install the saml plugin on our jenkins controller so let's go back over to our controller manage jenkins manage plugins we'll go to available and type saml we'll check the check box just this top one we don't need the saml single sign-on just saml at this point during the recording is two zero nine so download now and install after restart this should be pretty fast but let's see how long it takes okay so now we're back in let's go ahead and log in and let's take a look at what this admin user is right now because this admin user is going to be replaced by a user within octa but let's look at how i want to maintain certain things within my login notice up here in the right hand corner it says fred admin if we click into fred admin and click on builds excuse me click on configure what we're going to see is under full name we have fred space admin so we want to maintain that going forward so that means i want to have my first name and last name show up in full name i also want to go ahead and have my email address show up under email now my login at this point is admin just admin the user and we'll see here that there is actually no admin showing up within this page so the user itself is admin if we take a look at it we can see admin that's the user id moving forward our user id is going to be our email address because that is how it's defined inside of octa so let's go ahead and click on dashboard we've done our reboot we have our saml plugin installed but we don't want to set up saml just yet let's go back into our octa configuration and see what we have here if we take a look under directory and people let's start here first so what i have are two users i have my account and then i have a joe smith account now the email address looks pretty similar because i'm using my account so two users all of that's fine so we're set up with two people that have their passwords all that's good let's take a look at groups so everyone is always there i have a jenkins administrators group and i have a jenkins users group so we're not going to get very fancy with this just a simple administrators group that has full administrative privileges which means we're going to be using some sort of authorization strategy and then jenkins users which will just have access to do whatever that strategy is and you can already see here we have one person assigned to jenkins administrators and that is just me at this point so we have two people and we have two groups and that's it that's all we need to start with in fact we don't even need that to start with but we needed at least one user to start with now what we need to do is set up our application within octa so let's go here and go to applications and click on applications now these are the defaults that are here that's all good now we could browse the app catalog and we could search for jenkins and we would find a jenkins and we could add this however the way that this jenkins application is written it does not conform to the way that we want to manage our users within jenkins meaning it won't show us the full name the full name will be the login id remember for our full name we want to have the first name and the last name so we're going to be unable to use this jenkins application so what that means is we need to go back and create our own app integration so we're going to click on create app integration we're going to select saml 2.0 and click next for our app name we're going to say jenkins if i had a logo i would add a logo but right now i don't have a logo we're going to leave the defaults for app visibility and click next the single sign-on url and this is where everything comes together i need to add in the single sign-on url and copy this here and it's https jenkins.planetpope.com this is the important part slash security realm slash finish login this endpoint is critical if you get this wrong it's not going to work so the full url of your controller slash security realm slash finish login note security realm has an upper r and an upper l so that's our single sign-on url we need that now i am going to go ahead and set an audience uri and i'm going to call it all lowercase jenkins dash users it could be anything there but i'm just going to use jenkins users the name id format is going to be changed to email address so there's my name id format if we take a look at this it identifies the saml processing rules constraints for the assertion subject statement lots of words just set it to email address the application username is going to be the octa username and the octa user name is my email address so it's sort of strange that octo username is email address but it is email address because of how it was set up now we don't need to do anything specific under show advanced settings so we're not going to go into that but here's what we do need to add we need to add a couple of attribute statements this first one is going to be display name and we're going to leave it unspecified and we're going to take advantage of a feature available in octa so i'm going to click on learn more here open it in a new tab and once this renders what we're going to see is it goes through about defining attribute statements and we could use the profile editor where really what we're looking for is the octa expression language because we're wanting to access first name and last name into a display name because i have inside of octa in fact let's go back into octa and take a look at it for a moment okay we're in the middle of this so let's see if i can do this or not so i do this directory and i'm going to open new tab people if we take a look at my id if we take a look at the profile what we're going to see is the username login is darren at planetpop.com the first name first name is darren last name last name is pope now there is a display name that i did set up but it's not really necessary in fact i'm going to remove that just to prove that i'm not using this i'm going to get rid of this and am going to click save so the only fields that i have right now in octa for this user is email first name last name and then primary email was repeated because even though this is an email it's actually the login not the email but right now we don't have an attribute that has the full display name even there is a display name attribute because i do not want to have to have octa administrators remembering to enter a display name what i want to be able to do is just take the first name and last name more than likely i always have a first and last name and i want to put those together and use them within jenkins but before i can do that i need to pass it over to jenkins and that's what we're doing here in our attribute we have a display name and let me close that back up and the value that we're going to do and this goes back to the expression language so we can reference user attributes and we can use the i'm trying to find it where is it we can use the language to concatenate the strings together that's what we're looking for so we come back here the value is string dot join and the first parameter is what is going to be the string concatenation so it's going to be a space in our case and then it's just going to be user dot first name comma user dot whoops dot last name and i could continue on adding in more and it would just be space delimited so string join we're putting in the delimiter which in our case is a space and then first name and last name we're going to add one more and we're going to define an attribute called email because we need to pass that over to our controller to put in the email field so we're going to be filling in the display name field and the email field and here it's just going to be user dot email okay double checking my notes that looks good now we also want to be able to see the groups that a user belongs to within our controller and to do that we need to type in group the name format is going to be basic we're going to use a regex or matches regex dot star so give me everything so let's recap this real quick we've added in our single sign your sign in url which is the base url of our jenkins controller slash security realm upper r finish login upper l we added in an audience uri jenkins jenkins-users we set our name id format to email address the application username is octa-username we added in two attributes the first one is display name which is string.join the delimiter of a space user.firstname user.lastname and finally email which references user.email and finally finally we have a group so we want to be able to see our groups within our controller so group name format is basic the filter is matches regex and then dot star so let's go ahead and scroll down a little bit more and click on next and on this third tab the feedback tab i'm going to choose i'm a customer you're adding an internal app and this is an internal app and then everything's cleaned up from there so now i can click on finish now before we continue on with the sign on part let's click on assignments and what i'm going to do here is i'm going to assign to groups i'm going to assign it just for the moment to jenkins administrators so right now jenkins administrators are assigned to the jenkins application within octa so finally let's go over to sign on and then let's scroll down to identity provider metadata let's open this in a new tab we're going to see some xml sort of let's do a view page source and now we see all the xml so this is the value that we need to copy and put into our buffer so let's save this and get ready to configure our jenkins controller so now let's get into our controller manage jenkins configure global security now just so we don't mess up anything so we don't lock ourselves out or do anything else so this is the thing that you want to think about when setting up with jenkins if this is a live jeans controller you might want people to log out just because you could impact them from logging in and doing work we also don't want to leave anyone can do anything open to for a very long time so this is a very very quick setup until we finally get back to the correct authorization strategy so i'm going to click on authorization anyone can do anything click on save just to have it done now let's go back in click on saml20 that xml that we copied paste that in now let's make sure that we don't have any spare spaces laying around all that looks pretty good let's click on validate idp metadata and it says raw xml idp metadata just to make sure it's there we see validate spin success we're looking pretty good that's the first step well actually the first step was to anyone can do anything that's the first step then we paste in our idp metadata click on validate idp metadata next up our display name attribute there is a value that's already here let's take this value cut it out and paste it in the username attribute section because this will come from octa when the handshake occurs but it's going to come within the name this name references back to the id within of octa so if we remove that from display name what should we put there well remember that attribute that we added called display name so we're going to call this display name so we move the default value of display name attribute down into username attribute we entered in display name here because we added in that special attribute to where we were stringing together the first name and the last name in order to access group the way that we want it we need to just turn this into group and then the email attribute is just email because that is the attribute that we created remember we added the two attributes display name and email so this reference and this reference refer to the two attributes that we created back over in octa group refers to the group entry that we added in octa now we added in an audience uri over inside of octa we need to do the same thing here but in order to do that we need to click on advanced configuration because it's hidden underneath this and the audience uri is mapped to the sp entity id and it was jenkins dash users all lower case that's what we defined it as over on the octa side so we're defining it here on the jenkins side same way and again just to make sure that everything is good so from a configuration standpoint we're there we're making sure that anyone can do anything is checked or radio button selected just in case we mess up so we're going to click on save now we're still logged in as fred admin because we were in as an admin to make the changes we made it to where anyone can do anything that's okay now we've activated saml but since we're already logged in as fred admin and we're still within session it still sees fred admin so let's go ahead and do a log out now this looks weird because anyone can do anything right so everything's out in the open but let's do a login and what's going to happen is under the hood and because i'm already logged in to octa we can see it's signing in and it comes back now look at this we can now see that darren pope is set up and if we click into this account we're going to see a couple of things first off as we land on this dashboard for darren pope we see the groups that i'm in everyone and jenkins administrators which is true those are the two groups that my account is associated to if i go into configure we're going to see that the full name is darren pope now i could change it here but it would eventually get overwritten by whatever is defined in octa so it doesn't make sense to even touch it here because the source of truth is octa also the email address this email address is the email attribute much like this was the display name attribute so we can see here that that id is set up so so far so good no changes here let's just click on people we can see fred is still defined here but there's no way to log in as fred admin anymore because now our authentication source is octa not the jenkins user database so i could go into admin and just delete that user and that's completely okay because people is me and i'm the only one here that's all good now we're ready to go ahead go back in and change our authorization strategy from anyone can do anything to logged in users can do anything and we're going to uncheck allow anonymous this is the default when you first set up a controller and that's okay but we're working our way towards some sort of stronger authorization strategy which will be doing that with project based in just a moment so basically we turned off all authorization to make sure that our login worked and everything was fine now we're moving up just one step only logged in users can do anything let's click on save and then click on log out and we can see here the sam will log out now you've logged out of jenkins however this has not logged you out of saml have a nice day that's fine because i haven't done a single sign out process within octa that doesn't matter to me that's a choice that i've made if you decide to have single sign out as well as single sign on completely cool not what we're doing here so let me click on dashboard what's going to happen because i'm still logged into octa is that i am automatically logged back into my controller and since i'm logged in and logged in users can do anything then i'm still able to see everything here from a managing standpoint now what we want to do is we want to change our authorization strategy one more time configure global security we're going to go down to project based matrix authorization strategy now if you are a cloudbees ci customer instead of using matrix based security or project-based matrix authorization strategy you're going to be using cloudbee's role-based access control the concepts are basically the same but the implementation is very different so if that's something that you would like to see put a comment down below this video okay so let's go ahead and add in to project-based matrix authorization strategy when we want to add a group and the group is going to be our jenkins administrators group in fact just so we don't mess up here i haven't saved that so let me just click away i'm going to leave it so no save i'm going to click here to my name and i'm going to copy jenkins administrator so i have that in my buffer let's go back over here to manage jenkins configure global security let's go down to project based off we're going to add a user or group i'm going to paste that in make sure i don't have any leading or trailing spaces click ok and now i'm going to select overall administer which will then gray out everything that's here on this side because it is part of overall administer this overrides everything else here so now let's go ahead and click on save now it complains about no implementation of access control for builds is present that's fine for what we're doing here i'm going to go ahead and log out and if i go ahead and click on dashboard again make sure i can still log in still can see managed incans so from this perspective everything's fine now let's add in that second user that i had remember i have a second user defined inside of octa which is find that name i have the name of joe smith with this address now to make this work what i need to do is go back over here to my controller i am going to log out now this is where it gets interesting i'm going to go back here to my definition for my application because i'm logged in as my self inside of octa then that's what's causing me to authenticate naturally what i need to do is i need to go into my jenkins application and on the general tab i need to grab the embed link so i could send this link to somebody to log in with i am going to open up a private window and i'm going to paste that in and it's asking me to log in which is great that's what i want to do and this is the account i want to go to and that's fine so i'm going to grab my credentials for my user and log in whoops long password there we go so i'm going to log in and it says sorry you cannot access jenkins because you are not assigned this app in octa let me blow that up and that's true because if you take a look at our controller here or our octa side if we go back to our directory in groups we were going to assign jenkins users to this application but i don't have jenkins users assigned to app or a person assigned so now i need to do all the things so let's assign people so i'm going to assign that account to there so now i have for jenkins users well it's in progress there we go and then i need to add an application so i'll sign an application jenkins done so now for this group jenkins users i have one user one application okay that's looking pretty good let's go back over to that private window again and let's see here we'll slide that a little here and put that right up here so now if i was to refresh this page it's signing into jenkins but this user is missing the overall read permission okay one more thing we have to fix but at least we got over to our controller but now this is the authorization so let's go to our controller and click back enter the dashboard i'm logging in as my real user manage jenkins configure global security let's go down here to our project-based matrix off i'm going to add a user or a group this one is jenkins dash users that is correct click ok now unlike overall administer i'm just going to give them overall read and that's all that's the only permission i'm going to give so let's click on save and let's go back over to our private window which is underneath here and if we take a look at this now if we refresh this it drops us right into our controller i can't do anything i have overall read but there's no jobs i don't have access to manage jenkins but notice i'm joe smith what i want and now i am logged in as that user id and full name and email address now why would you want to integrate jenkins with octa when you're starting out in a small organization you may not have a lot of people so maybe just using the user database within jenkins is good enough for you but as you add more people and you're having to manage people within your jenkins controller along with inside of your other systems that's when you typically introduce integrations with something like ldap or active directory but even then you're wanting to add more controls around the applications that you allow your employees and contractors access to that's where using a platform such as octa allows you to assign users to groups and groups to applications so that when they go into octa they can see that oh there's all the applications i can use and they can go to those applications without having to remember extra credentials they go to one place they log in then they have the correct access to whatever applications they need via octa if you have any questions or comments you can reach out to us on twitter at cloudbeesdevs if this video was helpful to you give us a thumbs up and if you haven't subscribed to cloudbees tv yet why not take a moment click on that subscribe button and then ring that bell and you'll be notified anytime there's new content available on cloudbees tv thanks for watching and we will see you in the next video you

Info

Channel: CloudBeesTV

Views: 272

Rating: undefined out of 5

Keywords: darin pope, jenkins, jenkins tutorial, okta, saml, okta jenkins integration, jenkins okta integration, jenkins okta sso, jenkins saml okta, jenkins saml sso, jenkins saml authentication configuration, jenkins saml groups, jenkins saml plugin, single sign-on

Id: liaZpeTLDOc

Channel Id: undefined

Length: 29min 19sec (1759 seconds)

Published: Tue Oct 26 2021