Tutorial 1: How Applications Log In with EnOS Accounts - OIDC¶
In this tutorial, the Jenkins is taken as an example to log in to the SSO Server in compliance with the OIDC protocol.
Prerequisites¶
You have an EnOS system administrator account and have all operation permissions for Single Sign-On. For more information, see Policies, Roles and Permissions.
You have an EnOS OU administrator account, and have been authorized by the system administrator with the operation permissions for Single Sign-On. See Policies, Roles and Permissions.
If you have a Jenkins administrator account, contact the O&M personnel to activate it.
Procedure¶
Step 1: Register the Jenkins Client on the SSO Server¶
In the EnOS Management Console, select Single Sign-On > Client Management.
Click New Client and provide the following information.
Client Configuration
Client Protocol: OIDC
Client ID: enos-oidc
Client Secret: You can either provide your own or generate one.
Login Redirect URL: http://localhost:8080/securityRealm/finishLogin (The address that receives the auth code on the SP side in the OIDC protocol.)
Logout Redirect URL:http://localhost:8080 (The SSO user is redirected to Jenkins login page once logged out.)
Base URL:
Default Identity Provider: devportal
Authentication Code Flow: Enabled
Scope configuration
Select email and profile.
Click Save to create the new client.
Step 2: Configure Jenkins Client¶
Install the Jenkins client openId plugin:
Log in to the Jenkins Client as the Jenkins administrator, navigate to Manage Jenkins > Manage Plugins > Available, check OpenID and OpenID Connect Authentication, and then click Download now and install after restart.
After the download is completed, check Restart Jenkins when installation is complete and no jobs are running, and then restart the Jenkins client.
Log in to the Jenkins Client again, navigate to Manage Jenkins > Configure Global Security, check Enable security and then Login with Openid Connect in the Security Realm column, and then fill in the following fields.
Client ID: enos-oidc (the Client ID in Step 1).
Client Secret: The Client Secret in Step 1.
After the required information is completed, check Automatic configuration in the Configuration mode column, and then fill in the following fields:
Well-known configuration endpoint: https://sso_login_environment_domain/ssoserver/.well-known/openid-configuration
After the configuration is completed, click Save. http://localhost:8080/jenkins/configureSecurity/
Step 3: Verify Login¶
Log in to the Jenkins Client, and the address will automatically jump to the login page: https://sso_login_environment_domain/auth-service/login.
Add Corresponding Configuration to Client Code (Based on OIDC Implementation)¶
If you need to configure other clients, you can add the corresponding configuration in the client code.
Client’s Issuer Url: https://sso_login_environment_domain/ssoserver
Client ID: The Client ID in Step 1.
Client Secret: The Client Secret in Step 1.
Login Redirect URL:The address returned for receiving the authentication result, which must match the Login Redirect URL stated in Step 1.
Logout Redirect URL: the address to which the SSO server will redirect the user’s browser after successful logout.
Verify Login¶
Log in to the client, and the address will automatically jump to https://sso_login_environment_domain/auth-service/login. Once the user successfully logs in with the EnOS account, the client will get the Auth Token according to the OIDC protocol and complete the login.