Security Assertion Markup Language 2.0 (SAML) is a standard for signing users in to applications based on their sessions from another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:
No need to type in credentials
No need to remember and renew passwords
No weak passwords
SAML enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user. It uses security tokens containing assertions to pass information about a end user between
A SAML authority, named an Identity Provider, such as Okta or OneLogin, and
A SAML consumer, such as the CloudBees CD/RO services
To view the current configuration or to configure a new configuration view the Single Sign-On page. Selectfrom the main menu. The Single Sign-On page displays.
|Looking for Kerberos SSO information instead? See Configuring Kerberos SSO.|
SAML does not require configuration that is specific to CloudBees CD/RO. However, you must configure CloudBees CD/RO itself to enable SAML.
To use SAML single sign-on, you must create a SAML service provider. In this case, the service provider is the CloudBees CD/RO application; set it up for the CloudBees CD/RO server and the CloudBees CD/RO web server components.
To get started, from the main menu navigate toand select Enable SAML SSO from the Edit SSO Configuration list.
Select the Add service provider button in the Service provider section.
The Add service provider dialog displays. Enter the details for the new service provider as follows:
Web Server URL
URL for the service provider host
Service provider entity ID (usually URI)
Assertion Consumer Service Endpoint
Location at the service provider to which the SSO tokens are sent. This location accepts
Single Logout Service Endpoint
URL of the single logout service endpoint for the service provider.
Check to include AuthnRequestsSigned="true/false" metadata in descriptor.
Check to include WantAssertionsSigned="true/false" metadata in descriptor.
Public Certificate and Private Key
Service Provider Public X.509 certificate (same certificate for signing and encryption)
Service provider’s public certificate
SP Private Key
Service provider’s private key
Passphrase use for service provider’s private key
Service Provider Metadata
Sign Service Provider Metadata
If checked, sign service provider metadata.
Select Save Changes. The new service provider appears in the list of service providers in the Service Provider subtab.
You can configure one or more SAML identity providers. These include identity providers such as Okta, OneLogin, SiteMinder, or Active Directory Federation Services (ADFS).
To get started, navigate toand select Enable SAML SSO from the Edit SSO Configuration list.
The Identity providers section shows a list of the existing SAML identity provider configurations.
Select the Add identity provider button in the Identity providers section.
The Add identity provider dialog displays.
Enter the details for the identity provider as follows:
Name of the SAML identity provider.
Enable identity provider
If checked, this connector is enabled and any previously enabled identity provider is disabled.
Comment text describing this object. This is not interpreted at all by CloudBees CD/RO.
IDP Metadata XML File
File name containing metadata for this SAML identity provider. This is provided to you by the identity provider when you configure a CloudBees SAML SSO application on their site. See Example: configuring an Okta IDP integration.
Select Save Changes.
The new identity provider appears in the list of identity providers in the Identity Provider subtab.
This section demonstrates how to create a SAML SSO application integration for your CloudBees CD/RO environment on the Okta identity platform.
Steps in this section take place on the Okta platform.
An active Okta account.
Your Okta account populated with user names.
A SAML SSO service provider configured on your CloudBees CD/RO server.
- Create the integration
Sign in to your Okta account and navigate to the Applications dashboard.
Select Create App Integration. The Create a new app integration dialog displays.
SAML 2.0as the Sign-on method and select Next. The "Create SAML Integration" displays with the General Settings tab active.
Enter general settings for your integration and select Next. The Configure SAML tab activates.
On the Configure SAML tab, enter the following:
Single sign on URL: Use value from the Single sign on URL field from CloudBees CD/RO SAML SSO service provider configuration.
Audience URI: Use value from the SAudience URI field from CloudBees CD/RO SAML SSO service provider configuration.
Attribute statements: create four as follows
- Download provider metadata
Navigate to the Applications dashboard on the Okta platform.
Select the application you just created. The application’s settings page displays.
Select the Sign On tab to display the Sign on methods page.
Select the Identity Provider metadata link: the metadata XML file displays. Copy and paste it into a file.
Enter this filename into the IDP Metadata XML file field of the CloudBees CD/RO SAML SSO Identity Provider configuration and select Save Changes.
|This feature is available starting with CloudBees CD/RO Preview v2021.06.00.|
You can optionally choose to not configure Directory providers by enabling CloudBees Software Delivery Automation to automatically register users upon authentication by the SSO identity provider.
To do this, navigate to] and set Auto register SSO users to Enabled.
You can also set the Group claim SAML attribute delimiter to one appropriate to your environment. The default is comma-based.
The access control functionality in CloudBees CD/RO determines who can modify the single sign-on configuration settings for Kerberos and SAML.
To get started, navigate to] and select the Access Control button. The Access Control settings displays.
Review and change Privileges and Inherited Privileges sections.
For information about how end users sign in to CloudBees Software Delivery Automation using single sign-on, see Signing in to CloudBees Software Delivery Automation.