Tutorial 2: How Applications Log In with EnOS Accounts - SAML Protocol¶
In this tutorial, the Jenkins is taken as an example to log in to the SSO Server in compliance with the SAML protocol.
Prerequisites¶
You have an EnOS system administrator account and have all operation permissions for Single Sign-on. For more information, see Policies, Roles and Permissions.
You have an EnOS OU administrator account, and have been authorized by the system administrator with the operation permissions for Single Sign-o. For more information, see Policies, Roles and Permissions.
If you have a Jenkins administrator account, contact the O&M personnel to activate it.
Procedure¶
Step 1: Register Jenkins Client on SSO Server¶
In the EnOS Management Console, select Single Sign-On > Client Management.
Click New Client and provide the following information.
Client Configuration
Client Protocol: SMAL
Client ID: enos-smal
Login Redirect URL: http://localhost:8090/securityRealm/finishLogin (The endpoint that receives the authentication results on the SP side in the SAML protocol - AssertionConsumerService)
Logout Redirect URL: http://localhost:8090/samlLogout (The SLO endpoint at the SP side in the SAML protocol - SingleLogoutService)
Base URL:
Default Identity Provider: Management Console
Client Signature: enabled
Scope Configuration
Select email and profile.
SAML Keys: Click to generate the SAML key.
Click Save to complete the creation of the new client.
Step 2: Configure Jenkins Client¶
Download and install Jenkins-saml.
After the Jenkins-saml is downloaded successfully, log in to the Jenkins Client, navigate to Manage Jenkins > Configure Global Security, check Enable security and then SAML 2.0 in the Security Realm column, and then fill in the following fields:
IdP MetaData URL: https://sso_login_environment_domain/ssoserver/oauth/saml/descriptor. After the required information is completed, click Validate IdP MetaData URL. After the verification is completed, continue to fill in the LogOut URL.
Data Binding Method: select HTTP-POST.
After the required information is completed, click Apply and then Save.
Step 3: Verify Login¶
Log in to the Jenkins client, and the address will automatically jump to the login page: https://sso_login_environment_domain/auth-service/login.
Add Corresponding Configuration to Client Code (Based on SAML Implementation)¶
If you need to configure other clients, you can add the corresponding configuration in the client code.
Client’s Entity Id: The Client ID in Step 1.
Client’s AssertionConsumerService: The Login Redirect URL in Step 1.
Client’s SingleLogoutService address: The Logout Redirect URL in Step 1.
SSO Server’s metadata xml: https://beta-enos-authz-service-cn4.eniot.io/ssoserver/oauth/saml/descriptor. The client code can be configured with reference to the metadata on it.
Verify Login¶
Log in to the client, and the address will automatically jump to https://sso_login_environment_domain/auth-service/login. Once the user successfully logs in with the EnOS account, the client will get the Auth Token according to the SAML protocol and complete the login.