Setting Up OpenID Connect Federated Single Sign-On (SSO)
Codefresh natively supports login using GitHub, Bitbucket and GitLab using the OpenID Connect (OAUTH 2.0) protocol. You can add new SSO integrations based on OAUTH 2.0 as part of the Codefresh Enterprise plan.
To successfully add an identity provider in Codefresh, you must configure settings both for the identity provider and in Codefresh. You need to:
- Configure your identity provider to provide SSO services to Codefresh. The configuration differs per identity provider.
- Set up Codefresh to point to your identity provider, common for all identity providers.
SSO is only available to Enterprise customers. Please contact sales in order to enable it for your Codefresh account.
SSO configuration using OAuth2
SSO configuration in Codefresh is similar regardless of the identity provider selected. These settings are common to all providers:
- Display Name: The name of your identity provider
- Client ID: The ID used for the connection
- Client Secret: The secret associated with the ID
For detailed information on how to configure SSO for your identity provider, see the following:
Test SSO with your identity provider
Once you configure SSO for your identity provider, do the following:
- On the sidebar, below User Management, select People.
- Add an active user for testing purposes. We recommend you use your own user.
- Change Login method by selecting your Auth provider in the SSO drop-down.
- Keep the current browser session open, and log in via Corporate SSO in an incognito tab (or another browser).
- If everything works as expected, add more users.
Before enabling SSO for all users, you MUST make sure that it works for the test user. Once SSO is enabled for a user, Codefresh blocks logins through other IDPs for this user, and only allows login through the enabled SSO. If the selected SSO method does not work for some reason, the user is locked out of Codefresh.
Select SSO method for collaborators
To add users and select their SSO method, from the sidebar, select Collaborators. Then add the user’s email or Codefresh username.
In addition to their role, you can now select the SSO method to use:
SSO login for new and existing users
If you have multiple SSO providers configured, you can select a different provider for each user if so required.
If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization.
SSO login is not configured by default for existing users. You must explicitly select the SSO provider for existing users.
If SSO login is already configured for an existing user, and you add a new identity provider, to change the SSO login to the new provider, you must select the new provider for the user.
Define a default identity provider
If you have multiple identity providers for SSO, you can define one of them as your default provider.
When you define a default provider:
- The SSO method is automatically selected for all newly invited users
- All new users receive an email with an invite link that points directly to the login page of that SSO provider
- Mouse over the top-right of the SSO screen
Sync teams after initial SSO setup
For example, to sync you azure teams you can execute:
codefresh synchronize teams my-client-name -t azure
You can find the client-name from the SSO UI.
Even though you can run this command manually, it makes more sense to run it periodically as a job. And the obvious way to perform this is with a Codefresh pipeline. The CLI can be used as a freestyle step.
You can create a git repository with a codefresh.yml file with the following contents:
To fully automate this pipeline, set a cron trigger for this pipeline. The cron-trigger is responsible for running this pipeline, (and therefore synchronizing the teams), in a fully automated manner. This way you can synchronize your teams every day/week/hour depending on you cron trigger setup.