Setting up OIDC Federated SSO
OpenID Connect (OIDC) Single Sign-On (SSO) setup
Codefresh natively supports login with GitHub, Bitbucket and GitLab, using the OpenID Connect (OAuth2) protocol.
To successfully add an identity provider (IdP) in Codefresh, you need to do some preparatory work with both Codefresh and the provider:
- Inform your IdP that it will provide SSO services to Codefresh
- Set up Codefresh and point it to your IdP.
The first procedure differs according to your IdP, but the second one is common to all providers.
SSO is only available to Enterprise customers. Please contact sales in order to enable it for your Codefresh account.
OIDC SSO configuration in Codefresh
Here’s what you need to do to configure SSO via OIDC in Codefresh:
- Configure SSO settings for the IdP:
This generally includes defining settings both in Codefresh and in the IdP.
Codefresh supports OIDC SSO for the following:
Test integration with the IdP:
Before enabling SSO for users in Codefresh, you MUST make sure that it is working for the test user.
When SSO is enabled for a user, Codefresh allows login only through the SSO and blocks logins through other IdPs. If the selected SSO method does not work for some reason, the user is locked out of Codefresh.
- In the Codefresh UI, on the toolbar, from your avatar dropdown, select Account Settings.
- In the sidebar, from Access & Collaboration, select Users & Teams.
- Add an active user to be used for testing. We recommend you use your own user.
- From the SSO dropdown, select the provider you want to test.
- Keep the current browser session open, and log in via Corporate SSO in an incognito tab (or another browser).
- (Optional) Set a default SSO provider for account
You can select an IdP as the default SSO provider for a Codefresh account. This means that all the new users added to that account will automatically use the selected IdP for signin.
- (Optional) Select SSO method for individual users
You can also select if needed, a different SSO provider for specific users.
Codefresh has an internal cache for SSO configuration, and it can take up to five minutes for your changes to take effect.