OpenID plugin

Plugin Information

No Information For This Plugin

This plugin lets your Hudson users login to Hudson through external OpenID providers, without using password. (Or in the OpenID terminology, this plugin makes Hudson a relying party. The plugin has two somewhat different mode of operations:

  1. 'On the side' mode: Keep the existing security realm and just use OpenID as a way to login without typing a password. That is, Hudson is still taking user/group information from some source (such as Active Directory, LDAP, etc.), and with this plugin useres can now login to their user accounts by associating OpenID with their accounts.
  2. SSO mode: You'll designate one OpenID provider as the authoritative source of the user information in Hudson. The user must login through this OpenID provider, and the user account will be automatically created and linked to it.

'On the side' mode

This mode is on by default as soon as you install the plugin. In this mode, the user will first associate OpenIDs with their user accounts (by clicking their name on the top right of the page and then "Configure", after logging in normally):

This will initiate a wizard that allows the user to associate OpenIDs to this account. Once this is setup, the user can login to his/her account with this OpenID, without remembering the password:

In this mod "on the side" mode, OpenID is just used as a means to bypass the use of password.

SSO mode

This mode makes Hudson completely rely on single external OpenID provider as the user realm. Use of OpenID in this mode is no longer just a convenience — you have to "belong" to the configured OpenID provider to be able to login to Hudson.

First, the administrator will configure the system and designate the OpenID provider:

Here you need to specify which OpenID provider you'll be delegating authentication to. You do this either by specifing the "OpenID Provider Endpoint URL" (as defined by the spec), or by specifying one OpenID identifier and let Hudson figure out where the OP Endpoint URL is. The latter is often easier as it can be sometimes rather complicated to find out what the actual OP Endpoint URL is.

Once Hudson is configured this way, the user is automatically sent to this OpenID provider whenever Hudson determines that the user needs to be authenticated. This includes accessing a protected page and clicking a login link, and it happens without the user clicking the "login with OpenID" button.

Combined with the option in typical OpenID providers to bypass the confirmation dialog after the first login, this creates a single sign-on experience where the user never have to explicitly login to access Hudson.

Team extension support

This implementation supports the OpenID team extension to retrieve group membership information from OpenID providers.

because of the way the protocol works, the group membership information is retrieved on a login. If you are added as a member of a new team, or if you modify ACLs in Hudson and added a row for a new group, you'll have to relogin for Hudson to recognize your membership in this new group.

SSO mode configuration ideas

  • If you deny the read access to the anonymous user on your Hudson, people will automatically get authenticated va OpenID whenever they access Hudson. This is very convenient to keep track of who's making what changes in Hudson, but without bothering the user.
  • You can take it one step further, and grant the read access to specific teams in the OpenID provider. This allows you to restrict the use of Hudson to a subset of those who have identities on the OpenID provider (as opposed to everyone with an account.)

Release History

Version 1.0 (upcoming)

  • Initial release

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.