Jenkins OKTA OIDC integration issue

Hello All

I am trying to integrate Jenkins (v2.438) with OKTA. Created OKTA group and Jenkins role with same name and still having issues while try to login. Below is the config I am using.

  okta: |
    jenkins: 
      securityRealm:
        oic:
          clientId: "${okta-clientid}"
          clientSecret: "${okta-clientsecret}"
          wellKnownOpenIDConfigurationUrl: "${okta-issuerurl}/.well-known/openid-configuration"
          fullNameFieldName: "name"
          emailFieldName: "email"
          disableSslVerification: false
          logoutFromOpenidProvider: true
          escapeHatchEnabled: false
          endSessionEndpoint: "${okta-issuerurl}/v1/logout"
          postLogoutRedirectUrl: "https://test.com/OicLogout"
          userInfoServerUrl: "${okta-issuerurl}/v1/userinfo"
          automanualconfigure: "auto"
          tokenServerUrl: "${okta-issuerurl}/v1/token"
          authorizationServerUrl: "${okta-issuerurl}/v1/authorize"
          overrideScopes: "customgroups openid email"
      authorizationStrategy:
        roleBased:
          roles:
            global:
              - name: "admin"
                permissions:
                  - "Overall/Administer"
                entries:
                  - user: "admin"
              - name: "devops"
                permissions:
                  - "Overall/Administer"
                entries:
                  - user: "devops"
              - name: "readonly"
                permissions:
                  - "Overall/Read"
              - name: "authenticated"
                permissions:
                  - "Overall/Read"
                entries:
                  - group: "authenticated"
              - name: "JEKINS_ROLE_A"
                permissions:
                  - "Overall/Administer"
                entries:
                  - group: "OKTA_ROLE_A"
            items:
              - name: "JEKINS_ROLE_A"
                pattern: ".*"
                permissions:
                  - "Overall/Administer"
                entries:
                  - group: "OKTA_ROLE_A"

Can anyone please guide me here?

Hello and welcome to this community, @ananth-sabhapathi. :wave:

The configuration you provided seems correct. :thinking:

However, there might be a few things you want to check:

  • Make sure the Okta group and Jenkins role names are the same. They are case-sensitive as far as I know.
  • Make sure that the users are assigned to the correct Okta group.
  • Verify that the Okta application is assigned to the group.
  • Check if the users have the correct permissions in Jenkins.
  • Make sure the clientId, clientSecret, and issuerurl are correct.
  • Ensure that the overrideScopes field includes the scope that allows access to the group information. Usually, it’s the groups scope.

If you’ve checked all of these and are still having issues, you might want to look at the Jenkins logs for more detailed error messages. :person_shrugging:
This could give you more insight into what’s going wrong. :crossed_fingers:

@ananth-sabhapathi did you get this issue resolved? I am facing similar issues. I am trying to integrate okta with jenkins as well.
@poddingue I checked all the boxes and confirmed everything looks good.
the issue I am seeing is, the jenkins server is not recognizing the okta groups. because of that, it is not providing access for the users on the okta group.

I checked with okta support in my org, they confirmed everything looks good on okta side as well.

any suggestions/solutions appreciated. thanks in advance.