Tutorial 2: How Applications Log In with EnOS Accounts - SAML Protocol¶
In this tutorial, the Jenkins is taken as an example to log in to the SSO Server in compliance with the SAML protocol.
Prerequisites¶
- You have an EnOS system administrator account and have all operation permissions for Single Sign-on. For more information, see Policies, Roles and Permissions.
- You have an EnOS OU administrator account, and have been authorized by the system administrator with the operation permissions for Single Sign-o. For more information, see Policies, Roles and Permissions.
- If you have a Jenkins administrator account, contact the O&M personnel to activate it.
Procedure¶
Step 1: Register Jenkins Client on SSO Server¶
In the EnOS Management Console, select Single Sign-On > Client Management.
Click New Client and provide the following information.
Client Configuration
- Client Protocol: SMAL
- Client ID: enos-smal
- Login Redirect URL: http://localhost:8090/securityRealm/finishLogin (The endpoint that receives the authentication results on the SP side in the SAML protocol - AssertionConsumerService)
- Logout Redirect URL: http://localhost:8090/samlLogout (The SLO endpoint at the SP side in the SAML protocol - SingleLogoutService)
- Base URL:
- Default Identity Provider: devportal
- Client Signature: enabled
Scope Configuration
- Select email and profile.
SAML Keys: Click to generate the SAML key.
Click Save to complete the creation of the new client.
Step 2: Configure Jenkins Client¶
Download and install Jenkins-saml.
After the Jenkins-saml is downloaded successfully, log in to the Jenkins Client, navigate to Manage Jenkins > Configure Global Security, check Enable security and then SAML 2.0 in the Security Realm column, and then fill in the following fields:
- IdP MetaData URL: https://sso_login_environment_domain/ssoserver/oauth/saml/descriptor. After the required information is completed, click Validate IdP MetaData URL. After the verification is completed, continue to fill in the LogOut URL.
- LogOut URL: https://sso_login_environment_domain/ssoserver/oauth/saml/logout?clientId=http://localhost:8080/jenkins/securityRealm/finishLogin
- Data Binding Method: select HTTP-POST.
After the required information is completed, click Apply and then Save.
Step 3: Verify Login¶
Log in to the Jenkins client, and the address will automatically jump to the login page: https://sso_login_environment_domain/auth-service/login.
Add Corresponding Configuration to Client Code (Based on SAML Implementation)¶
If you need to configure other clients, you can add the corresponding configuration in the client code.
- Client’s Entity Id: The Client ID in Step 1.
- Client’s AssertionConsumerService: The Login Redirect URL in Step 1.
- Client’s SingleLogoutService address: The Logout Redirect URL in Step 1.
- SSO Server’s metadata xml: https://beta-enos-authz-service-cn4.eniot.io/ssoserver/oauth/saml/descriptor. The client code can be configured with reference to the metadata on it.
Verify Login¶
Log in to the client, and the address will automatically jump to https://sso_login_environment_domain/auth-service/login. Once the user successfully logs in with the EnOS account, the client will get the Auth Token according to the SAML protocol and complete the login.