Single Sign-On (SSO) for Jenkins with Google

# **Overview** **(SSO)** is a crucial security and user experience feature for modern software systems. SSO allows users to access multiple applications with a single set of credentials, enhancing security, usability, and productivity. This blog outlines the guideline to implement **SSO** for **Jenkins** using **Google** (https://cloud.google.com/architecture/identity/single-sign-on) as the identity provider, in association with Jenkins’s plugin https://plugins.jenkins.io/google-login/. # **Goals** The primary objectives of implementing **SSO** for **Jenkins** with **Google** are as follows: 1. *Improved Security*: By using **Google's** authentication and authorization services, we can enhance security by leveraging Google's robust security measures, including multi-factor authentication (**MFA**) and **OAuth 2.0.** 2. *Enhanced User Experience*: Users can access **Jenkins** using their existing **Google** accounts, reducing the need to remember additional usernames and passwords. 3. *Simplified User Management*: Administrators can manage users and access permissions through **Jenkins’s** centralized user management console. # **Implementation** ## Setup the Google Project The **Google Project** for implementing SSO should be setup within the organization for granting the company’s developers to access the Jenkins server. ## Install and setup the Google Login Plugin Referencing the Jenkins’s documentation https://www.jenkins.io/doc/book/managing/plugins/#installing-a-plugin and the plugins’s documentation [Setup Google Login Plugin](https://github.com/jenkinsci/google-login-plugin/blob/master/README.md), we can have a detail steps for installing and setting up Google SSO: 1. Install the plugin through the Jenkins’s UI ![image](https://hackmd.io/_uploads/r1du7hfJJx.png) 2. Configure the Google App to contain the redirect URL for the **ursalive** Jenkins server `https://jenkins.ursalive.link/securityRealm/finishLogin` 3. Go to the [Configure Global Security](https://jenkins.ursalive.link/manage/configureSecurity/) page of Jenkins and change the **Security Realm** to **Login with Google** ![image](https://hackmd.io/_uploads/Bk8YXhGkJl.png) 4. Fill in the corresponding **Client ID**, **Client Secret** and **Google Apps Domain** from the **Google App** created from the previous step. ![image](https://hackmd.io/_uploads/Hyk5Q2GJJx.png) 5. Change the authorization mechanism to `Role-based Strategy` 6. Go into **Manage Jenkins** > **Manage and Assign Roles** to create and assign different role with permission to users 7. Configure the Jenkins role with `admin`, `developer` and `viewer` permission ![image](https://hackmd.io/_uploads/r16cX2MJJe.png) 1. Add user and group to corresponding roles ![image](https://hackmd.io/_uploads/Hky6X2fJJl.png)