Improve this page on GitHub

Common configuration for SSO providers

Set up team sync, default SSO provider for accounts

Once you create an SSO provider account in Codefresh, you can:

Automatically or manually sync the teams created in your Identity Provider (IdP) with Codefresh
Set a default SSO provider for your account
Override the account-level SSO provider for specific users

Syncing teams in IdPs with Codefresh

Team sync synchronizes all users and teams provisioned in the SSO provider with Codefresh.

In Codefresh you can sync users and teams either automatically or manually:

Automatically, in the Codefresh UI if the option is supported for your SSO provider
Manually, either on-demand through the Codefresh CLI, or through a Codefresh pipeline

Team-sync support in Codefresh for SSO providers

The table lists the SSO providers supported in Codefresh and the team-sync option available for them.

Protocol	SSO provider	Team-sync
		Automated	Manual
OIDC	Auth0	-	-
	Azure	✅	✅
	Google	-	✅
	Keycloak	-	✅
	Okta	✅	✅
	OneLogin	-	✅
LDAP		-	✅
SAML	GSuite	✅	✅
	JumpCloud	-	-
	Okta	✅	✅
	OneLogin	-	-
	PingID	-	-

Automated team-sync in Codefresh UI

The automated team-sync option is only available in the Codefresh UI.
This is the general workflow for automated team-sync in Codefresh:

Codefresh syncs users and groups through the SSO API, and grants SSO permissions for each invited user during sync.
You set up the SSO provider in Codefresh, and select one or both options for automated team-sync:
- If only the Auto-sync users and teams option is selected, Codefresh automatically triggers a sync at the interval defined. On first-time sign-in, the invited user needs to enter additional information such as First Name, Last Name, Country.
- If the Activate user option is also selected (when available), on first-time sign-in, the invited user is automatically authenticated without having to enter additional information.

Manual team-sync via CLI

Manually synchronize users and teams provisioned in your SSO provider account, on-demand, through the Codefresh CLI with the synchronize teams command.

NOTE
Make sure that there are no domain restrictions on the email address.

As an example, you can sync your Azure teams with the CLI:

codefresh synchronize teams <my-client-name> -t azure

where:
<my-client-name> is the Client Name/Assertion URL/Callback URL that is automatically generated by Codefresh when you save the SSO configuration for your provider.

Manual team-sync with Codefresh pipelines

As an alternative to manually syncing teams on demand via the Codefresh CLI, you can manually sync teams using Codefresh pipelines.

NOTE
Make sure that there are no domain restrictions on the email address.

A pipeline makes it possible to run team-sync periodically as a job. You can use the CLI as a freestyle step, as in the example below. You can create a Git repository with a codefresh.yml file with the following content:

version: '1.0'
steps:
  syncMyTeams:
    title: syncTeams
    image: codefresh/cli
    commands:
      - 'codefresh synchronize teams my-client-name -t azure'

To fully automate the pipeline, you can set a Csron trigger for it. Depending on how you set up your Cron trigger, you can synchronize your teams every day/week/hour.

Sync GitHub organization teams to Codefresh

As an admin, you may want to sync your GitHub Organization Teams with your Codefresh account. At the same time, you do not want to set up an SSO provider and have the users use any login provider they choose.

The Personal Access Token (PAT) from a user will sync ALL Organizations and ALL Teams to which the user has access. It is recommended to use a “machine” account to access the one organization you need.

Create a PAT that has access to read organizations and teams
Install and configure the Codefresh CLI

codefresh synchronize teams github -t github --tk $GHTOKEN
The sync will invite all users except for those that have private email settings turned on.

Once the initial sync happens, you can set up a cron trigger pipeline to run the command on a schedule.

Set a default SSO provider for account

If you have multiple SSO providers, you can set one of them as the default provider for your account. Setting a default provider assigns the selected SSO automatically to all new users in the account. The link in the email invitation takes them directly to the login page of that SSO provider.

In the Codefresh UI, go to Single Sign-On.
From the list, select the SSO account to set as default and click the Edit icon on the right.
Scroll down and select Set as default. The Single Sign-on page shows the SSO provider tagged as the default.

Single Sign-on list showing the default SSO provider

Select SSO provider for individual users

You can override the default SSO provider if set for your account, with a different SSO provider for specific users if so required.

New users
If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization. You can change the SSO provider later.
Existing users
SSO login is not configured by default for existing users. You must explicitly select the SSO provider for existing users.
If SSO login is already configured for an existing user, and you add a new identity provider, to change the SSO login to the new provider, you must select the new provider for the user.

How to

In the Codefresh UI, on the toolbar, from your avatar dropdown, select Account Settings.
In the sidebar, from Access & Collaboration, select Users & Teams.
For the user, select the SSO provider from the SSO list.

Selecting a different SSO provider for specific user

Setting up OIDC Federated SSO
Setting up SAML2 Federated SSO
LDAP Single Sign-On (SSO)