OpenID Connect (OIDC) 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows CloudBees Software Delivery Automation to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. It uses security tokens containing assertions to pass information about an end user between the following:
An OIDC identity provider, such as Okta.
An OIDC service provider, such as the CloudBees Software Delivery Automation server.
View current configurations or create a new one using the SSO configurations UI, available from CloudBees CD/RO:
From the CloudBees navigation, select CloudBees CD/RO.
From the main menu, go to. The Single Sign-On page displays.
OpenID Connect does not require configuration that is specific to CloudBees Software Delivery Automation. However, you must configure CloudBees Software Delivery Automation itself to enable OIDC.
|Before creating an OIDC service provider on CloudBees Software Delivery Automation, you must have an OpenID Connect app integration created with an identity provider such as Okta. Refer to Configuring a new OpenIDConnect app integration for an example using Okta.|
To use OIDC single sign on, you must create an OIDC service provider. In this case, the service provider is CloudBees Software Delivery Automation; set it up for the CloudBees Software Delivery Automation server and the CloudBees Software Delivery Automation web server components.
To get started:
From the main menu, navigate to.
Select Enable Open ID Connect SSO from the Edit SSO Configuration list.
Scroll to the Open ID Connect configuration section and select the Add Open ID Connect configuration button in the Open ID Connect configurations box.
The New Open ID Connect dialog displays.
Enter the details for the new configuration as follows:
ОpenID Connect configuration name
The name of the OpenID Connect identity provider. This is a user-defined string used to identify this configuration.
Determines whether this OpenID Connect configuration is enabled. Uncheck to disable the configuration. Defaults to
User-defined description for this provider.
Select the SSO provider from the dropdown menu.
Web Server URL
The web server URL to which the identity provider, such as Okta, sends a response after processing the request from CloudBees Software Delivery Automation.
The OpenID Connect identity provider’s well-known configuration endpoint. If specified, the other endpoints are dynamically discovered when Refresh configuration (below) is set to true. If using the Okta identity provider, it is in the following form:
<Okta domain>is the value of the Okta domain field from the Okta application’s dashboard.
Enable single logout checkbox
Determines whether the user will be logged out from the OIDC provider when the user logs out of CloudBees Software Delivery Automation. Defaults to
URL for the logout end-point. Applicable if Enable single logout (above) is checked. If using the Okta identity provider, it is in the following form:
URL for the authorization endpoint. If using the Okta identity provider, this is the value of the Authorization endpoint field from the Okta application’s dashboard. If using the Okta identity provider, it is in the following form:
URL for the token endpoint. If using the Okta identity provider, it is in the following form:
JWK provider endpoint
URL for the JWK key’s endpoint. If using the Okta identity provider, it is in the following form:
Indicates whether the endpoint attributes such as authorizationEndpoint, tokenEndpoint and other configuration details should be updated using the configurationURL. If true, then configurationURL must be set. Defaults to
The value used to uniquely identify the SDA server with the OIDC identity provider. If using the Okta identity provider, this is the value of the Client ID field on the Okta application’s dashboard.
The secret used to request the token ID from the OIDC identity provider for authentication. If using the Okta identity provider, this is the value of the Client secret field on the Okta application dashboard.
Claim names in the token ID for obtaining user information:
Claim name in the token ID used to retrieve the user name. Defaults to
User full name
Claim name in the token ID used to retrieve the user’s full name. Defaults to
Claim name in the token ID used to retrieve the user’s email. Defaults to
Claim name in the token ID used to retrieve the groups that the user belongs to. Defaults to
Select Save Changes.
The new configuration appears in the list of OpenID Connect configurations in the Open ID Connect configurations section.
This section demonstrates how to create an OIDC SSO application integration for your CloudBees Software Delivery Automation environment. Steps in this section take place on the Okta platform. These instructions are for example purposes only and may not reflect the current Okta UI. Refer to the Okta documentation for instructions on how to use Okta.
An active Okta account populated with user names.
- Create the integration
Sign in to the Okta account and navigate to the Applications dashboard.
Select Create App Integration. The Create a new app integration dialog displays.
Configure the following:
OIDC - OpenID Connect
Web ApplicationFigure 1. Creating a new OIDC app integration
Select Next. The New Web App Integration page displays.
Enter the following information:
App integration name: Enter
Sample OIDC Appis used here.
Sign-out redirect URIs: Enter
https://<CD-ServerIP>/commander/logout.php;`https://localhost:8080/commander/logout.php` is used here.
Assignments: Allow everyone in your organization to access.
The page displays information for the Sample OIDC APP created in the last step. The General Settings tab is active. Note the values in the following fields; you will need them to create the OpenID Connect SSO configuration on the CloudBees Software Delivery Automation server:
Figure 2. Application information
Select the Assignments tab and assign people to this application.
Now, you are ready to create an OIDC service provider on the CloudBees Software Delivery Automation server. Refer to Creating an OIDC service provider for details.
For information about how end users sign in to CloudBees Software Delivery Automation using single sign-on, see Signing in to CloudBees Software Delivery Automation.