How to configure Jenkins login with google apps

Now that Google deprecated support for OpenID, you can use Google Login Plugin which works well with Google Apps.

You can achieve Single Sign On with Google Apps using the OpenID Plugin. It's very easy to set up, you basically install the plugin, select "Google Apps SSO (with OpenID)" and enter your domain. Note that users will have to have a google apps account to login after that.

Tip: you might consider using it in combination with the Role Strategy Plugin

In Jenkins by default user authentication is not enabled but we can establish the user authentication from the Global Security section. We have to create users for team members and it maintains all user in its own database. But we can also configure Jenkins with Google OAuth. So, if you are leveraging Google services and already have users on it. The users can login to Jenkins and perform their task.

To implement Google OAuth we'll recommend jenkinsci/google-login-plugin (https://github.com/jenkinsci/google-login-plugin) this is a Jenkins plugin which lets you login to Jenkins with your Google account. Also allows you to restrict access to accounts in a given Google Apps domain.

I am assuming that we have already installed Jenkins server and have admin right to make changes in it. The whole configuration is divided into three easy steps.

1. Get Google OAuth Credentials

To use this plugin, you must obtain OAuth 2.0 credentials from the Google Developers Console (https://console.developers.google.com). These don't need to belong to a special account, or even one associated with the domain you want to restrict logins to.

Instructions to create the Client ID and Secret:

• Login to the Google Developers Console

• Create a new project, in the pop-up window specify your projectname it can be any name which is more meaning full to you, eg:Jenkins OAuth. In this project we will generate authanticationcredentials to enable OAuth API.

• On the left sidebar under APIs & Services (API Manager) ->Credentials, Create credentials, OAuth client ID (It will genrate APIcredentials and these credentails are required to configure inJenkins in last step).

• As we are going to integrate this in Jenkins and it is a webservice, the application type should be "Web Application"

• Register Jenkins URI from where we allowed to access the GoogleAPIs. We have to provide Jenkins server detail. You can replace yourJENKINS_ROOT_URL = http:jenkins.mydomain.com with your own Jenkins URI. This will be the landing page of your Jenkins server.Once you hit this page it will be redirected to google for theauthentication.

• The authorized redirect URIs is required to redirect you aftersuccessful login. It is the combination of your Jenkins landing pageand a suffix string to validate you are a logged in user. As we wantto land user to Jenkins dashboard, so it has the same URI which wementioned in the previous step and don’t forget to includesecurityRealm/finishLogin at the end. So the authorized redirectURLs should result like this${JENKINS_ROOT_URL}/securityRealm/finishLogin.

  eg: http://jenkins.mydoamin.com/securityRealm/finishLogin

• Copy and save Client ID and Client Secret, these credentialwill be used to enable Google APIs in Jenkins (Security RealmConfiguration).

2. Install Google Login Plugin

In Jenkins there is no mechanism to configure OAuth but there are many plugins are available and we are using Google Login plugin. We can easily install this plugin from Manage Jenkins –> Manage Plugins –> Available and search for “Google Login”. Select the plugin. There is no need to restart to install this plugin. This plugin allows for the register Google OAuth and performs authentication.

3. Configure Jenkins

In this step, we will setup Google security credentials in installed plugin. Navigate to Manage Jenkins –> Configure Global Security and select Login with Google under Security Realm paste credentials (Client ID and secret) generated in the first step. In the last field do not forget to enter your domain name it allows you to restrict access to given domain name.

Immediately after saving changes Jenkins will allow access to all users in your domain. Now, try to login into your Jenkins it will redirect you to Google Authentication page. If everything is set up properly you will be logged in but just in case you’re still facing any problem go back and check each step. The logged in user can do anything and if you want to restrict users you can implement Role Strategy Plugin (https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin) security.