SAML Authentication - also need normal http auth

[James Masson]

Hi list,

I've successfully got SAML integration working with Jenkins & OneLogin, through the normal SAML plugin.

What I'm struggling with now is finding a solution to authenticate the Jenkins Swarm slave plugin, and a few other automation tools that operate via standard HTTP auth.

Has anyone done this?

Ideally I'd use PAM auth for the automation, and SAML just for users - but this doesn't seem to be possible?

thanks

James M

[Ivan Fernandez Calvo]

HI,

It is not possible to use two authentication plugins/methods at the same time, but you could use the API token as authentication method for scripts or other automated tasks, for more information you can take a look at https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients

[James Masson]

Thanks for the reminder about API keys - I'd forgotten about them - works perfectly.

However....

How does the API key for a SAML authed user get persisted?is it just in memory? If I restart Jenkins, does it get reset?

I notice there are no user config.xml files created by Jenkins for SAML users.

James M

[James Masson]

To close the loop on this...

It looks like the API keys for SAML generated users are persisted /somewhere/ in jenkins.

However, the permissions associated with the API key do not seem to get persisted - unless the user is directly in the permissions matrix, and doesn't get permissions as part of a group.

There seems to be zero documentation on how this works.

[Ivan Fernandez Calvo]

yep, it is not possible to retrieve the groups from the IdP because the API token authentication it is a local authentication with a non password key so when you login you only have the permissions that you grant directly to the user more less because it depends a little of your permissions plugin (role based, matrix, ...), I am working on some kind of cache that should be configured to allow to use full grant authorities even do you use the API Token.