Login to Jenkins with Microsoft online account

[Evan Greensmith]

We're moving from Google accounts to Microsoft online accounts. Currently our Jenkins is setup to use the Google Login Plugin to allow 2-factor login using staff Google accounts (and Google Authenticator). We'd like to have a similar setup (with 2-factor auth) using staff Microsoft online accounts (and Windows Authenticator).

login.microsoftonline.com provides an oauth end-point that could be used to provide 2-factor authentication, but I can't find any microsoft/generic OAuth Login plugin (the Google Login Plugin appears to hard-code the google OAuth end-points). Using LDAP/AD would be an option, but not sure how we could get the 2-factor authentication setup (using Windows Authenticator). Our current fall-back is to opt for LDAP login but have more restricted access to the Jenkins box.

I'd be interested to hear any stories of looking at login via Microsoft online accounts. Or any useful pointers.

Cheers,

Evan.

[Evan Greensmith]

For the record. In the end we used the SAML Plugin along with the following instructions to setup SAML Auth in Azure AD:

https://blogs.msdn.microsoft.com/tsmatsuz/2016/12/29/azure-ad-saml-federation-application-tutorial/

We found we needed to set the Entity ID in the SSO config to be the same as the Reply URL.

[Evan Greensmith]

Again, for the record. We had difficulties with authentication sessions timing out (we'd need to logout and login again to our Microsoft accounts). Also, the FederatedMetadata.xml would occasionally be updated (on the Microsoft end). As the plugin can not read the update from the URL, we would need to turn-off global security, update the SAML configuration and then reconfigure role assignments.

We instead switched to authenticating in apache with mod_auth_openidc and using the Jenkins Reverse Proxy Auth plugin.