Single sign on with SAML

4 minute readReferenceIdentity management

Security Assertion Markup Language 2.0 (SAML) is a standard for signing users in to applications based on their sessions from another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:

  • No need to type in credentials

  • No need to remember and renew passwords

  • No weak passwords

SAML enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. It uses security tokens containing assertions to pass information about a end user between

  • A SAML authority, named an Identity Provider, such as Okta or OneLogin, and

  • A SAML consumer, such as the CloudBees CD/RO services

To view the current configuration or to configure a new configuration view the Single Sign-On page. Select Administration ConfigurationsSSO configurations from the main menu. The Single Sign-On page displays.

Looking for Kerberos SSO information instead? See Configuring Kerberos SSO.

Configuring SAML SSO

SAML does not require configuration that is specific to CloudBees CD/RO. However, you must configure CloudBees CD/RO itself to enable SAML.

Creating a SAML service provider

To use SAML single sign-on, you must create a SAML service provider. In this case, the service provider is the CloudBees CD/RO application; set it up for the CloudBees CD/RO server and the CloudBees CD/RO web server components.

To get started, from the main menu navigate to Administration ConfigurationsSSO configurations and select Enable SAML SSO from the Edit SSO Configuration list.

  1. Select the Add service provider button in the Service provider section.

    The Add service provider dialog displays. Enter the details for the new service provider as follows:

ItemDescription

Web Server URL

URL for the service provider host

Entity ID

Service provider entity ID (usually URI)

Assertion Consumer Service Endpoint

Location at the service provider to which the SSO tokens are sent. This location accepts <samlp:Response> messages (or SAML artifacts) for the purpose of establishing a session based on an assertion. It refers to an HTTP resource (often a virtual one) on a web site that processes SAML protocol messages and returns a cookie representing the information extracted from the message. For example, https://sp.example.org/CB.sso/SAML2/POST.

Single Logout Service Endpoint

URL of the single logout service endpoint for the service provider.

AuthnRequestsSigned

Check to include AuthnRequestsSigned="true/false" metadata in descriptor.

WantAssertionsSigned

Check to include WantAssertionsSigned="true/false" metadata in descriptor.

Public Certificate and Private Key

Service Provider Public X.509 certificate (same certificate for signing and encryption)

Service provider’s public certificate

SP Private Key

Service provider’s private key

Passphrase

Passphrase use for service provider’s private key

Service Provider Metadata

Sign Service Provider Metadata

If checked, sign service provider metadata.

  • Select Save Changes. The new service provider appears in the list of service providers in the Service Provider subtab.

Configuring a SAML identity provider

You can configure one or more SAML identity providers. These include identity providers such as Okta, OneLogin, SiteMinder, or Active Directory Federation Services (ADFS).

To get started, navigate to Administration ConfigurationsSSO configurations and select Enable SAML SSO from the Edit SSO Configuration list.

The Identity providers section shows a list of the existing SAML identity provider configurations.

  1. Select the Add identity provider button in the Identity providers section.

    The Add identity provider dialog displays.

  2. Enter the details for the identity provider as follows:

    ItemDescription

    IDP Name

    Name of the SAML identity provider.

    Enable identity provider

    If checked, this connector is enabled and any previously enabled identity provider is disabled.

    Description

    Comment text describing this object. This is not interpreted at all by CloudBees CD/RO.

    IDP Metadata XML File

    File name containing metadata for this SAML identity provider. This is provided to you by the identity provider when you configure a CloudBees SAML SSO application on their site. See Example: configuring an Okta IDP integration.

  3. Select Save Changes.

    The new identity provider appears in the list of identity providers in the Identity Provider subtab.

Example: configuring an Okta IDP integration

This section demonstrates how to create a SAML SSO application integration for your CloudBees CD/RO environment on the Okta identity platform.

Steps in this section take place on the Okta platform.

Prerequisites
  • An active Okta account.

  • Your Okta account populated with user names.

  • A SAML SSO service provider configured on your CloudBees CD/RO server.

Create the integration
  1. Sign in to your Okta account and navigate to the Applications dashboard.

  2. Select Create App Integration. The Create a new app integration dialog displays.

  3. Select SAML 2.0 as the Sign-on method and select Next. The "Create SAML Integration" displays with the General Settings tab active.

  4. Enter general settings for your integration and select Next. The Configure SAML tab activates.

  5. On the Configure SAML tab, enter the following:

    • Single sign on URL: Use value from the Single sign on URL field from CloudBees CD/RO SAML SSO service provider configuration.

    • Audience URI: Use value from the SAudience URI field from CloudBees CD/RO SAML SSO service provider configuration.

    • Attribute statements: create four as follows

      NameValue

      FirstName

      user.firstName

      LastName

      user.lastName

      Email

      user.email

      Login

      user.login

      Select Next.

Download provider metadata
  1. Navigate to the Applications dashboard on the Okta platform.

  2. Select the application you just created. The application’s settings page displays.

  3. Select the Sign On tab to display the Sign on methods page.

  4. Select the Identity Provider metadata link: the metadata XML file displays. Copy and paste it into a file.

  5. Enter this filename into the IDP Metadata XML file field of the CloudBees CD/RO SAML SSO Identity Provider configuration and select Save Changes.

Configuring automatic registration of SAML Groups for SSO

This feature is available starting with CloudBees CD/RO Preview v2021.06.00.

You can optionally choose to not configure Directory providers by enabling CloudBees Software Delivery Automation to automatically register users upon authentication by the SSO identity provider.

To do this, navigate to Administration Server settingsSecurity settings] and set Auto register SSO users to Enabled.

You can also set the Group claim SAML attribute delimiter to one appropriate to your environment. The default is comma-based.

Managing access control

The access control functionality in CloudBees CD/RO determines who can modify the single sign-on configuration settings for Kerberos and SAML.

To get started, navigate to Administration ConfigurationsSSO configurations] and select the Access Control button. The Access Control settings displays.

Review and change Privileges and Inherited Privileges sections.

End-User sign in

For information about how end users sign in to CloudBees Software Delivery Automation using single sign-on, see Signing in to CloudBees Software Delivery Automation.