Single sign-on with OpenID Connect

4 minute readReferenceIdentity management

OpenID Connect (OIDC) 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows CloudBees Software Delivery Automation to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. It uses security tokens containing assertions to pass information about an end user between the following:

  • An OIDC identity provider, such as Okta.

  • An OIDC service provider, such as the CloudBees Software Delivery Automation server.

View current configurations or create a new one using the SSO configurations UI, available from CloudBees CD/RO:

  1. From the CloudBees navigation, select CloudBees CD/RO.

  2. From the main menu, go to Administration ConfigurationsSSO configurations. The Single Sign-On page displays.

Configuring OpenID Connect SSO

OpenID Connect does not require configuration that is specific to CloudBees Software Delivery Automation. However, you must configure CloudBees Software Delivery Automation itself to enable OIDC.

Creating an OIDC service provider

Before creating an OIDC service provider on CloudBees Software Delivery Automation, you must have an OpenID Connect app integration created with an identity provider such as Okta. Refer to Configuring a new OpenIDConnect app integration for an example using Okta.

To use OIDC single sign on, you must create an OIDC service provider. In this case, the service provider is CloudBees Software Delivery Automation; set it up for the CloudBees Software Delivery Automation server and the CloudBees Software Delivery Automation web server components.

To get started:

  1. From the main menu, navigate to Administration ConfigurationsSSO configurations .

  2. Select Enable Open ID Connect SSO from the Edit SSO Configuration list.

  3. Scroll to the Open ID Connect configuration section and select the Add Open ID Connect configuration button in the Open ID Connect configurations box.

    The New Open ID Connect dialog displays.

  4. Enter the details for the new configuration as follows:

    ItemDescription

    ОpenID Connect configuration name

    The name of the OpenID Connect identity provider. This is a user-defined string used to identify this configuration.

    Enabled checkbox

    Determines whether this OpenID Connect configuration is enabled. Uncheck to disable the configuration. Defaults to enabled.

    Description

    User-defined description for this provider.

    SSO Provider

    Select the SSO provider from the dropdown menu.

    Web Server URL

    The web server URL to which the identity provider, such as Okta, sends a response after processing the request from CloudBees Software Delivery Automation.

    Configuration URL

    The OpenID Connect identity provider’s well-known configuration endpoint. If specified, the other endpoints are dynamically discovered when Refresh configuration (below) is set to true. If using the Okta identity provider, it is in the following form:

    <Okta domain>/oauth2/default

    where <Okta domain> is the value of the Okta domain field from the Okta application’s dashboard.

    Enable single logout checkbox

    Determines whether the user will be logged out from the OIDC provider when the user logs out of CloudBees Software Delivery Automation. Defaults to disabled.

    Logout endpoint

    URL for the logout end-point. Applicable if Enable single logout (above) is checked. If using the Okta identity provider, it is in the following form:

    <Okta domain>/oauth2/default/v1/logout

    Authorization endpoint

    URL for the authorization endpoint. If using the Okta identity provider, this is the value of the Authorization endpoint field from the Okta application’s dashboard. If using the Okta identity provider, it is in the following form:

    <Okta domain>/oauth2/default/v1/authorize

    Token endpoint

    URL for the token endpoint. If using the Okta identity provider, it is in the following form:

    <Okta domain>/oauth2/default/v1/token

    JWK provider endpoint

    URL for the JWK key’s endpoint. If using the Okta identity provider, it is in the following form:

    <Okta domain>/oauth2/default/v1/keys

    Refresh configuration

    Indicates whether the endpoint attributes such as authorizationEndpoint, tokenEndpoint and other configuration details should be updated using the configurationURL. If true, then configurationURL must be set. Defaults to false.

    Client ID

    The value used to uniquely identify the SDA server with the OIDC identity provider. If using the Okta identity provider, this is the value of the Client ID field on the Okta application’s dashboard.

    Client secret

    The secret used to request the token ID from the OIDC identity provider for authentication. If using the Okta identity provider, this is the value of the Client secret field on the Okta application dashboard.

    Claim names in the token ID for obtaining user information:

    User name

    Claim name in the token ID used to retrieve the user name. Defaults to sub.

    User full name

    Claim name in the token ID used to retrieve the user’s full name. Defaults to name.

    User email

    Claim name in the token ID used to retrieve the user’s email. Defaults to email.

    User groups

    Claim name in the token ID used to retrieve the groups that the user belongs to. Defaults to groups.

  5. Select Save Changes.

    The new configuration appears in the list of OpenID Connect configurations in the Open ID Connect configurations section.

Configuring a new OpenIDConnect app integration

This section demonstrates how to create an OIDC SSO application integration for your CloudBees Software Delivery Automation environment. Steps in this section take place on the Okta platform. These instructions are for example purposes only and may not reflect the current Okta UI. Refer to the Okta documentation for instructions on how to use Okta.

Prerequisites
  • An active Okta account populated with user names.

Create the integration
  1. Sign in to the Okta account and navigate to the Applications dashboard.

  2. Select Create App Integration. The Create a new app integration dialog displays.

  3. Configure the following:

    • Sign-on method: OIDC - OpenID Connect

    • Application type: Web Application

      Figure 1. Creating a new OIDC app integration
  4. Select Next. The New Web App Integration page displays.

  5. Enter the following information:

  6. Select Save.

    The page displays information for the Sample OIDC APP created in the last step. The General Settings tab is active. Note the values in the following fields; you will need them to create the OpenID Connect SSO configuration on the CloudBees Software Delivery Automation server:

    • Client ID

    • Client secret

    • Okta domain

    Figure 2. Application information
  7. Select the Assignments tab and assign people to this application.

Now, you are ready to create an OIDC service provider on the CloudBees Software Delivery Automation server. Refer to Creating an OIDC service provider for details.

How users sign in using single sign-on

For information about how end users sign in to CloudBees Software Delivery Automation using single sign-on, see Signing in to CloudBees Software Delivery Automation.