• Documentation
• Tutorial 2: How Applications Log In with EnOS Accounts - SAML Protocol

Tutorial 2: How Applications Log In with EnOS Accounts - SAML Protocol

In this tutorial, the Jenkins is taken as an example to log in to the SSO Server in compliance with the SAML protocol.

Prerequisites

• You have an EnOS system administrator account and have all operation permissions for Single Sign-on. For more information, see Policies, Roles and Permissions.

• You have an EnOS OU administrator account, and have been authorized by the system administrator with the operation permissions for Single Sign-o. For more information, see Policies, Roles and Permissions.

• If you have a Jenkins administrator account, contact the O&M personnel to activate it.

Procedure

Step 1: Register Jenkins Client on SSO Server

1. In the EnOS Management Console, select Single Sign-On > Client Management.

2. Click New Client and provide the following information.

   • Client Configuration

     • Client Protocol: SMAL

     • Client ID: enos-smal

     • Login Redirect URL: http://localhost:8090/securityRealm/finishLogin (The endpoint that receives the authentication results on the SP side in the SAML protocol - AssertionConsumerService)

     • Logout Redirect URL: http://localhost:8090/samlLogout (The SLO endpoint at the SP side in the SAML protocol - SingleLogoutService)

     • Base URL:

     • Default Identity Provider: Management Console

     • Client Signature: enabled

     
     

   • Scope Configuration

     • Select email and profile.

     
     

   • SAML Keys: Click to generate the SAML key.

   
   

3. Click Save to complete the creation of the new client.

Step 2: Configure Jenkins Client

1. Download and install Jenkins-saml.

2. After the Jenkins-saml is downloaded successfully, log in to the Jenkins Client, navigate to Manage Jenkins > Configure Global Security, check Enable security and then SAML 2.0 in the Security Realm column, and then fill in the following fields:

   • IdP MetaData URL: https://sso_login_environment_domain/ssoserver/oauth/saml/descriptor. After the required information is completed, click Validate IdP MetaData URL. After the verification is completed, continue to fill in the LogOut URL.

   • LogOut URL: https://sso_login_environment_domain/ssoserver/oauth/saml/logout?clientId=http://localhost:8080/jenkins/securityRealm/finishLogin

   • Data Binding Method: select HTTP-POST.

   
   

3. After the required information is completed, click Apply and then Save.

Step 3: Verify Login

Log in to the Jenkins client, and the address will automatically jump to the login page: https://sso_login_environment_domain/auth-service/login.

Add Corresponding Configuration to Client Code (Based on SAML Implementation)

If you need to configure other clients, you can add the corresponding configuration in the client code.

• Client’s Entity Id: The Client ID in Step 1.

• Client’s AssertionConsumerService: The Login Redirect URL in Step 1.

• Client’s SingleLogoutService address: The Logout Redirect URL in Step 1.

• SSO Server’s metadata xml: https://beta-enos-authz-service-cn4.eniot.io/ssoserver/oauth/saml/descriptor. The client code can be configured with reference to the metadata on it.

Verify Login

Log in to the client, and the address will automatically jump to https://sso_login_environment_domain/auth-service/login. Once the user successfully logs in with the EnOS account, the client will get the Auth Token according to the SAML protocol and complete the login.