Secure Jenkins with Keycloak SSO

This guide shows how to configure Jenkins to authenticate users via Keycloak using OpenID Connect (OIDC). It’s based on:

• Jenkins: 2.492.3
• Keycloak: 26.2.0
• Plugin: OpenID Connect Authentication v4.494.v6b_f419104767

Prerequisites

• Jenkins is publicly accessible at: https://jenkins.maksonlee.com
• Keycloak is running at: https://keycloak.maksonlee.com
• You have admin access to both Jenkins and Keycloak
• You’ve created a Keycloak realm (e.g. maksonlee.com)

1. Install OpenID Connect Plugin in Jenkins

• Go to: Manage Jenkins → Plugin Manager → Available
• Search for: OpenId Connect Authentication
• Install the plugin and restart Jenkins

2. Create Client in Keycloak for Jenkins

Basic Settings:

• Navigate to: Clients → Create client
• Fill in:

Click Next

Capability Configuration:

Enable only:

• Standard Flow

Disable everything else:

• Implicit Flow
• Direct Access Grants
• Service Accounts
• Authorization

Click Next

Login Settings:

Click Save

3. Get the Client Secret

• Go to: Clients → jenkins → Credentials
• Copy the Client Secret for use in Jenkins

4. Configure Jenkins with Keycloak OIDC

Go to: Manage Jenkins → Security

Set the Security Realm:

Login with Openid Connect

Then fill in:

Advanced configuration → User fields

Click Save

5. Test Login

• Log out of Jenkins
• You’ll be redirected to Keycloak for authentication
• Once authenticated, you’ll be signed into Jenkins