On this blog I will show how to connect Jenkins to keycloak with OpenID .
you can learn about keycloak installation on this link : https://www.keycloak.org/docs/latest/server_installation/index.html#guide-overview
KEYCLOAK SERVER
The first step is in Keycloak , you need to create a new Client on the Realm you configure when you build your own keycloak server (in my case – “SSOTEST” , in same screenshot examples below, you will see that the name of the realm is – “SSO”. You can ignore , Its only for the prints screen Examples 🙂 ).
The Type of client (Client Protocol) should be – OpenID.
You need to enter unique Client ID (unique “client name”) , and Root URL to your Jenkins server.
ON “Access Type” you need to change to – Confidential
And Enter “Valid Redirect URL” – https://jenkins/* (you need to configure your “server url” on Jenkins Configuration )
On Credentials TAB you need to copy the “Secret” value and save it on clear notepad file (we will use the Secret later)
The next step is to Create Mappers (values that you pass with your request from client to server)
The fist mapper is “username”. the Type should be “USER PROPERTY”
On “Property” you should choose – username and the “Token claim Name” – preferred_username
The second mapper is “Group Membership”. the Type should be ” Group Membership “
On “Property” you should choose – username and the “Token claim Name” – Group- Membership
The final configuration look like :
On JenkinS Server
To connect the Jenkins server to Keycloak server with OpenID and to be able to manage a Matrix security mode . you should install the fallowing Plugins :
On security configuration you need to choose the option – Login with Openid Connect And enter the client id and the Secret (from the configuration of the client in the keycloak)
On the Configuration mode , choose the Manual configuration and fill the : Token Server url, Authorization server url , UserInfo server url AND the Logout from openID provider As the ExampleUrl’s on the print screen :
On the User name filed name and Full name field name type “preferd_username”( Token claim Name From the keycloak client).
On the Group filed name type “group-membership”( Token claim Name From the keycloak client)
*** if you have Errors with Configure HTTPS Urls, you should install the certificate from the Keycloak or Check the Disable ssl verification check-box.
On the Authorization Section you should Select Matrix-based security option and add the name of the group’s that you create on the Keycloak Server.
In my case I create two groups in the keycloak :
Jenkins-admin – for Jenkins Admins (Full Permission).
Jenkins-Users – for Jenkins user (Read only )
***You should add the “/” sign to the name of the group on the Jenkins.
SHMUEL H.
On the Configuration mode , choose the Manual configuration and fill the : Token Server url, Authorization server url , UserInfo server url AND the Logout from openID provider As the ExampleUrl’s on the print screen : where is these from?
In Keycloak, navigate to the Realm settings tab. Under the Gerneral tab, scroll down and click on OpenID Endpoint Configuration link from Endpoints section.