• Documentation
  • Tutorial 2: How Applications Log In with EnOS Accounts - SAML Protocol

Tutorial 2: How Applications Log In with EnOS Accounts - SAML Protocol


In this tutorial, the Jenkins is taken as an example to log in to the SSO Server in compliance with the SAML protocol.

Prerequisites

  • You have an EnOS system administrator account and have all operation permissions for Single Sign-on. For more information, see Policies, Roles and Permissions.

  • You have an EnOS OU administrator account, and have been authorized by the system administrator with the operation permissions for Single Sign-o. For more information, see Policies, Roles and Permissions.

  • If you have a Jenkins administrator account, contact the O&M personnel to activate it.

Procedure

Step 1: Register Jenkins Client on SSO Server

  1. In the EnOS Management Console, select Single Sign-On > Client Management.

  2. Click New Client and provide the following information.

    • Client Configuration

      • Client Protocol: SMAL

      • Client ID: enos-smal

      • Login Redirect URL: http://localhost:8090/securityRealm/finishLogin (The endpoint that receives the authentication results on the SP side in the SAML protocol - AssertionConsumerService)

      • Logout Redirect URL: http://localhost:8090/samlLogout (The SLO endpoint at the SP side in the SAML protocol - SingleLogoutService)

      • Base URL:

      • Default Identity Provider: Management Console

      • Client Signature: enabled


    • Scope Configuration

      • Select email and profile.


    • SAML Keys: Click smal_key to generate the SAML key.


  3. Click Save to complete the creation of the new client.

Step 2: Configure Jenkins Client

  1. Download and install Jenkins-saml.

  2. After the Jenkins-saml is downloaded successfully, log in to the Jenkins Client, navigate to Manage Jenkins > Configure Global Security, check Enable security and then SAML 2.0 in the Security Realm column, and then fill in the following fields:

    • IdP MetaData URL: https://sso_login_environment_domain/ssoserver/oauth/saml/descriptor. After the required information is completed, click Validate IdP MetaData URL. After the verification is completed, continue to fill in the LogOut URL.

    • LogOut URL: https://sso_login_environment_domain/ssoserver/oauth/saml/logout?clientId=http://localhost:8080/jenkins/securityRealm/finishLogin

    • Data Binding Method: select HTTP-POST.


  3. After the required information is completed, click Apply and then Save.

Step 3: Verify Login

Log in to the Jenkins client, and the address will automatically jump to the login page: https://sso_login_environment_domain/auth-service/login.

Add Corresponding Configuration to Client Code (Based on SAML Implementation)

If you need to configure other clients, you can add the corresponding configuration in the client code.

  • Client’s Entity Id: The Client ID in Step 1.

  • Client’s AssertionConsumerService: The Login Redirect URL in Step 1.

  • Client’s SingleLogoutService address: The Logout Redirect URL in Step 1.

  • SSO Server’s metadata xml: https://enos-authz-service-eu2.enos-iot.com/ssoserver/oauth/saml/descriptor. The client code can be configured with reference to the metadata on it.

Verify Login

Log in to the client, and the address will automatically jump to https://sso_login_environment_domain/auth-service/login. Once the user successfully logs in with the EnOS account, the client will get the Auth Token according to the SAML protocol and complete the login.