Class FederatedLoginService

java.lang.Object
hudson.security.FederatedLoginService
All Implemented Interfaces:
ExtensionPoint

public abstract class FederatedLoginService extends Object implements ExtensionPoint
Abstraction for a login mechanism through external authenticator/identity provider (instead of username/password.)

This extension point adds additional login mechanism for SecurityRealms that authenticate the user via username/password (which typically extends from AbstractPasswordBasedSecurityRealm.) The intended use case is protocols like OpenID, OAuth, and other SSO-like services.

The basic abstraction is that:

  • The user can have (possibly multiple, possibly zero) opaque strings to their User object. Such opaque strings are called "identifiers." Think of them as OpenID URLs, twitter account names, etc. Identifiers are only comparable within the same FederatedLoginService implementation.
  • After getting authenticated by some means, the user can add additional identifiers to their account. Your implementation would do protocol specific thing to verify that the user indeed owns the claimed identifier, create a FederatedLoginService.FederatedIdentity instance, then call FederatedLoginService.FederatedIdentity.addToCurrentUser() to record such association.
  • In the login page, instead of entering the username and password, the user opts for authenticating via other services. Think of OpenID, OAuth, your corporate SSO service, etc. The user proves (by your protocol specific way) that they own some identifier, then create a FederatedLoginService.FederatedIdentity instance, and invoke FederatedLoginService.FederatedIdentity.signin() to sign in that user.

Views

loginFragment.jelly
Injected into the login form page, after the default "login" button but before the "create account" link. Use this to generate a button or a link so that the user can initiate login via your federated login service.

URL Binding

Each FederatedLoginService is exposed to the URL space via Jenkins.getFederatedLoginService(String). So for example if your url name is "openid", this object gets "/federatedLoginService/openid" as the URL.

Since:
1.394
Author:
Kohsuke Kawaguchi