CI/CD Automation

X-Forwarded-User

Zero-Day Shield

SSO + Zero-Day Protection for Jenkins

by Jenkins Project (CloudBees)

Add SAML/OIDC SSO to Jenkins and Shield Your CI/CD Pipeline from Zero-Day Exploits

Overview

Why Jenkins Needs an Authenticated Proxy

Jenkins is the most widely deployed CI/CD automation server, powering build and deployment pipelines for millions of projects. Yet Jenkins is also one of the most frequently targeted applications — with critical CVEs disclosed multiple times per year. Its plugin-based architecture creates a massive attack surface, and many organizations expose Jenkins directly to the network with basic username/password authentication. OnePAM eliminates this risk by placing an identity-aware reverse proxy in front of Jenkins. Users authenticate via your corporate IdP (Okta, Azure AD, Google Workspace), and OnePAM injects the authenticated identity via the X-Forwarded-User HTTP header. Jenkins never sees unauthenticated traffic. Every request is verified, every session is audited, and zero-day exploits in Jenkins or its plugins cannot be reached by unauthenticated attackers.

HTTP Header Authentication

X-Forwarded-User

Jenkins supports reverse proxy authentication via the X-Forwarded-User header. When configured with the Reverse Proxy Auth Plugin, Jenkins trusts the authenticated user identity from this header, eliminating the need for Jenkins-native login.

Zero-Day Risk Profile

Jenkins Vulnerability Risks

Without an authenticated proxy, these risks are directly exploitable by any network-reachable attacker.

Jenkins has averaged 15+ critical CVEs per year since 2020

Plugin vulnerabilities (1800+ plugins) create an unpredictable attack surface

RCE via Groovy script console is a frequent exploitation target

Credential theft from Jenkins credential store affects entire CI/CD supply chain

The Challenge

Security Challenges with Jenkins

These are the risks organizations face when Jenkins is not behind an authenticated proxy.

Frequent Critical CVEs

Jenkins and its plugins disclose critical vulnerabilities regularly. Without an authenticated proxy, every CVE is directly exploitable by any network-reachable attacker.

Credential Sprawl

Jenkins uses its own user database or LDAP integration, creating yet another password for developers to manage outside your corporate IdP.

No Native SAML/OIDC

Jenkins SAML and OIDC plugins exist but are complex to configure, frequently break on upgrades, and add to the plugin attack surface.

Supply Chain Risk

A compromised Jenkins instance gives attackers access to source code, build artifacts, deployment credentials, and production infrastructure.

Overprivileged Access

Developers often have admin access to Jenkins for pipeline debugging. Without centralized identity, enforcing least-privilege is nearly impossible.

No Session Auditing

Jenkins provides minimal audit logging for web sessions. Who accessed what pipeline, when, and from where is difficult to reconstruct.

The OnePAM Solution

How OnePAM Adds SSO + Zero-Day Protection to Jenkins

A step-by-step guide to deploying OnePAM's authenticated proxy in front of Jenkins.

Deploy OnePAM in Front of Jenkins

Place OnePAM as a reverse proxy between your network and the Jenkins web interface.

OnePAM intercepts all HTTP/HTTPS traffic to Jenkins. Jenkins is configured to only accept connections from OnePAM, making it unreachable directly. This immediately shields Jenkins from network-based attacks.

Connect Your Identity Provider

Configure your corporate IdP (Okta, Azure AD, Google Workspace, or any SAML 2.0/OIDC provider) as the authentication source.

OnePAM handles the full SAML/OIDC handshake. Users are redirected to your IdP, authenticate with MFA, and are returned with a signed assertion that OnePAM validates.

Enable HTTP Header Authentication

OnePAM injects the authenticated user identity into the X-Forwarded-User header on every proxied request.

Jenkins is configured with the Reverse Proxy Auth Plugin to trust the X-Forwarded-User header. When a request arrives with this header, Jenkins automatically creates or maps the user session — no Jenkins login page, no password.

Define Access Policies

Set granular access rules: who can access Jenkins, from where, at what times, and with what MFA requirements.

OnePAM policies can restrict Jenkins access by IdP group, IP range, device posture, and time window. Developers get access; contractors get read-only; production deploy pipelines require step-up MFA.

Audit, Record, Comply

Every Jenkins session is logged with full IdP context. Optional session recording captures the entire web interaction.

Compliance teams get a unified audit trail: who accessed Jenkins, which IdP authenticated them, what MFA method was used, from which device and location, and optionally a full session recording.

Business Impact

Benefits of Securing Jenkins with OnePAM

Measurable security and operational outcomes from deploying OnePAM in front of Jenkins.

Shield from Zero-Day Exploits

Unauthenticated attackers cannot reach Jenkins — every request must pass through OnePAM's identity verification. CVEs in Jenkins or plugins become unexploitable remotely.

100% of unauthenticated attacks blocked

Eliminate Jenkins Passwords

Developers authenticate with their corporate credentials via SSO. No separate Jenkins accounts, no password resets, no credential fatigue.

Zero Jenkins-specific passwords

Enforce MFA for CI/CD

Require multi-factor authentication for Jenkins access using your IdP's MFA — push notifications, FIDO2 keys, or biometrics.

100% MFA-protected pipelines

Instant Deprovisioning

When a developer leaves, disable them in your IdP and Jenkins access stops immediately. No orphan Jenkins accounts.

Real-time access revocation

Unified Audit Trail

Every Jenkins access event appears in OnePAM's centralized audit log alongside all other application access events.

Complete session visibility

No Jenkins Plugin Risk

Remove the SAML/OIDC/LDAP plugins from Jenkins entirely. OnePAM handles authentication externally, reducing Jenkins's attack surface.

Fewer plugins = smaller attack surface

SSO Features

Jenkins SSO Capabilities

Every feature needed to provide enterprise-grade SSO and access control for Jenkins.

SAML 2.0 & OIDC SSO via X-Forwarded-User header injection

Compatible with Jenkins Reverse Proxy Auth Plugin

Group-to-Jenkins-role mapping from IdP attributes

Pipeline-level access policies (restrict who can trigger builds)

Session recording for compliance and forensics

IP and geo-restriction for Jenkins access

Device trust verification before granting access

Idle timeout and concurrent session controls

Automatic user provisioning from IdP groups

API token access policies and auditing

Security

Zero-Day Protection Features

Enterprise-grade security controls that shield Jenkins from exploitation.

Jenkins isolated from direct network access

TLS termination and re-encryption to Jenkins

Request-level authentication on every HTTP call

WAF-grade request inspection before proxying

Signed SAML assertions with certificate pinning

Automatic session termination on IdP sign-out

Real-World Scenarios

Jenkins SSO + Security Use Cases

Common scenarios where organizations deploy OnePAM in front of Jenkins.

Development teams accessing Jenkins via corporate SSO with MFA enforcement

Restricting production deployment pipelines to senior engineers with step-up authentication

Providing read-only Jenkins access to QA and compliance teams with session recording

Securing Jenkins in restricted environments with on-premise IdP integration

Auditing contractor access to CI/CD pipelines with time-limited sessions

Protecting Jenkins from internet-facing zero-day exploits while maintaining developer productivity

Frequently Asked Questions

Jenkins SSO + Security FAQ

Common questions about deploying OnePAM's authenticated proxy for Jenkins.

Does OnePAM require changes to Jenkins configuration?

Minimal. You install the Reverse Proxy Auth Plugin (a one-time action) and configure Jenkins to trust the X-Forwarded-User header. No pipeline changes, no Jenkinsfile modifications, no plugin upgrades required.

How does OnePAM protect Jenkins from zero-day vulnerabilities?

OnePAM ensures that only authenticated users can reach Jenkins. Unauthenticated network traffic is blocked before it reaches the Jenkins process. This means that zero-day exploits requiring network access (the vast majority) cannot be exploited by external attackers.

Can we still use Jenkins API tokens for automation?

Yes. OnePAM can be configured to pass through API token authentication for automated pipeline triggers while requiring SSO for interactive web sessions. You define which paths require SSO and which allow API token auth.

Which Jenkins versions are supported?

OnePAM works with any Jenkins version that supports reverse proxy authentication — Jenkins 2.x and later. Both Jenkins LTS and weekly releases are supported.

Does OnePAM affect Jenkins performance?

OnePAM adds minimal latency (typically <5ms per request). For CI/CD workloads, this is imperceptible. The security benefits far outweigh any marginal latency.

Can we map IdP groups to Jenkins roles?

Yes. OnePAM passes IdP group memberships as HTTP headers. Jenkins can map these groups to its internal authorization matrix, enabling centralized role management from your IdP.

Ready to Secure Jenkins with SSO + Zero-Day Protection?

Deploy OnePAM in minutes — no Jenkins code changes required. Start your free 14-day trial today.

Start Free Trial View All Supported Apps