Hanzo
PlatformHanzo IAMIntegrationsJava

Jenkins (OIDC)

Use Hanzo IAM as the OIDC IdP for Jenkins sign-in.

Use Hanzo IAM as the OIDC identity provider for Jenkins so users sign in with their Hanzo IAM accounts.

Terms: IAM_HOSTNAME — Hanzo IAM server URL; JENKINS_HOSTNAME — Jenkins server URL.

Step 1: Deploy Hanzo IAM and Jenkins

Deploy Hanzo IAM and Jenkins. Then:

  1. Set the Jenkins URL (Manage Jenkins -> Configure System -> Jenkins Location) to JENKINS_HOSTNAME. Jenkins URL
  2. Ensure that Hanzo IAM can be logged in and used normally.
  3. Set Hanzo IAM's origin value (conf/app.conf) to IAM_HOSTNAME. Hanzo IAM conf

Step 2: Configure the Hanzo IAM application

  1. Create or edit a Hanzo IAM application.
  2. Add redirect URL: http://JENKINS_HOSTNAME/securityRealm/finishLogin.
  3. Add providers as needed. Note the Client ID and Client secret from the application page.

OIDC discovery URL: http://IAM_HOSTNAME/.well-known/openid-configuration

Hanzo IAM Application Setting

Step 3: Configure Jenkins

Install the OpenId Connect Authentication plugin (Jenkins does not support OIDC by default).

After the installation is complete, go to Manage Jenkins -> Configure Global Security. jenkins global security

:::tip

Make sure to back up the Jenkins config.xml file to recover in case of any setup errors.

:::

  1. In Access Control, select Login with Openid Connect as the Security Realm.
  2. Specify the Client ID noted above in the Client ID field.
  3. Specify the Client secret noted above in the Client secret field.
  4. In the Configuration mode, select Automatic configuration and enter http://IAM_HOSTNAME/.well-known/openid-configuration as the Well-known configuration endpoint. Jenkins' Setting If your Hanzo IAM is deployed locally, you may need to select Manual configuration and provide the following information:
    • Token server URL: http://IAM_HOSTNAME/oauth/token
    • Authorization server URL: http://IAM_HOSTNAME/oauth/authorize
    • UserInfo server URL: http://IAM_HOSTNAME/api/get-account
    • Scopes: address phone openid profile offline_access email Manual configuration
  5. Click on Advanced settings and fill in the following:
    • In the User name field, specify name.
    • In the Full name field, specify displayName.
    • In the Email field, specify email.
    Userinfo Field Setting
  6. In the Authorization section, enable “Logged-in users can do anything” and disable “Allow anonymous read access”. You can configure more complex authorization later, but for now, check if OpenID works correctly. Log out of Jenkins, and it should redirect you to Hanzo IAM for authentication. Jenkins Login Page

How is this guide?

Last updated on

Spring Security filter (OIDC)

Integrate Hanzo IAM with Spring Security using OIDC.

Jenkins plugin

Using the Hanzo IAM plugin for Jenkins security

On this page

Step 1: Deploy Hanzo IAM and Jenkins
Step 2: Configure the Hanzo IAM application
Step 3: Configure Jenkins