AWS SSO for Jenkins through SAML Authentication

6 min readSep 2, 2023

**Single Sign-On (SSO):**
Imagine you have a special key that can open multiple doors without needing different keys for each door. SSO is like that key for your online accounts. When you use SSO, you log in once, and then you can access different websites or apps without entering your password each time.

**How SSO Works:**
1. You log in with your key (credentials) on a central system.
2. This system gives you a special token (like a stamp) to prove you’re authenticated.
3. When you want to use another app, it shows your token to that app.
4. The app checks the token with the central system and lets you in if it’s valid.
5. You can use different apps without needing to log in again.

**Security Assertion Markup Language (SAML):**
Think of SAML like a magic certificate that a special messenger carries to prove your identity. It’s used when different websites need to trust each other to let you in without multiple logins.

**How SAML Works:**
1. You want to use a website (service provider).
2. The website sends you to a special identity checker (identity provider).
3. You prove your identity to the identity checker.
4. The identity checker gives you a magic certificate (SAML assertion).
5. You show this certificate to the website.
6. The website checks the certificate’s magic to let you in.

So, in this blog, I can show how AWS SSO lets you use Jenkins with SAML, which means you prove who you are just once and can easily access Jenkins without needing to remember lots of passwords or log in repeatedly.

If you haven’t install Jenkins then follow my previous blog i.e. “How to Install Jenkins”

2. After successfully install Jenkins you can see following window

3. Now Login to your “AWS account” to search for “SSO service”

4. After Click on “SSO Service” if you are using first time the “Enable” the service for use

5. Then click on “Enable” button and you will see “SSO Dashboard”

6. Now lets configure first “Application” i.e. “Jenkins” for that click on “Application” option in left hand side menu

7. Then Click on “Add Application” option

8. Because we are using “SAML” so select “SAML2.0” option & then search for “Jenkins” and select it.

9. and click on “Next” and on next page keep setting as it is and scroll down at the bottom paste the your Jenkins IP

The ACS “Assertion Consumer Service” URL is a critical component in SAML-based Single Sign On (SSO) setups. It is a URL to which the identify provider (in this case, AWS SSO) send the SAML assertion after a user successfully logs in.

The service provider (Jenkins) then validates the SAML assertion and grants access to the user

10. Now click on “Submit” button and you will see our application is add

11. Now lets add or assign user, so that click on “Users” option and “Add user”

12. So add user name and put your mail address and click on “Next” and last click on “Add User”

13. You will see following output

14. Before we go Ahed check your mail to accept invition

15. After click on “Accept Invitation” you will be redirect on AWS SSO window and set new password

16. Login after setup new password you will be login on AWS SSO window and you will see dashboard

17. But there no “Jenkins” application so that go to again “SSO Service” & in that again click on “Application” open “Jenkins” and click on “Assign Users” like see in “step no 10.”

18. Select the user and click on “Assign User” button

19. Now refresh again you “AWS SSO” page you will see “Jenkins” application

20. Now if you click on app you will redirect to Jenkins URL but you will see error

21. Now for solve this error go to “AWS SSO” → “Application” → “Action” → “Edit Attribute Mapping”

22. Add the following things as shown as below image and click on “Save”

23. Now go to “Jenkins” → “Manage Jenkin” → “Plugins” → “Available Plugins” check for “SAML” and after that choose first and then click on “Install without restart” option