Common configuration for SSO providers

Set up team sync, default SSO provider for accounts

Once you create an SSO provider account in Codefresh, you can:

  • Automatically or manually sync the teams created in your Identity Provider (IdP) with Codefresh
  • Set a default SSO provider for your account
  • Override the account-level SSO provider for specific users

Syncing teams in IdPs with Codefresh

Team sync synchronizes all users and teams provisioned in the SSO provider with Codefresh.

In Codefresh you can sync users and teams either automatically or manually:

  • Automatically, in the Codefresh UI if the option is supported for your SSO provider
  • Manually, either on-demand through the Codefresh CLI, or through a Codefresh pipeline

Team-sync support in Codefresh for SSO providers

The table lists the SSO providers supported in Codefresh and the team-sync option available for them.

Protocol SSO provider Team-sync  
    Automated Manual
OIDC Auth0 - -
  Google -
  Keycloak -
  OneLogin -
LDAP   -
  JumpCloud - -
  OneLogin - -
  PingID - -

Automated team-sync in Codefresh UI

The automated team-sync option is only available in the Codefresh UI.
This is the general workflow for automated team-sync in Codefresh:

  1. Codefresh syncs users and groups through the SSO API, and grants SSO permissions for each invited user during sync.
  2. You set up the SSO provider in Codefresh, and select one or both options for automated team-sync:
    • If only the Auto-sync users and teams option is selected, Codefresh automatically triggers a sync at the interval defined. On first-time sign-in, the invited user needs to enter additional information such as First Name, Last Name, Country.
    • If the Activate user option is also selected (when available), on first-time sign-in, the invited user is automatically authenticated without having to enter additional information.

Manual team-sync via CLI

Manually synchronize users and teams provisioned in your SSO provider account, on-demand, through the Codefresh CLI with the synchronize teams command.

Make sure that there are no domain restrictions on the email address.

As an example, you can sync your Azure teams with the CLI:

codefresh synchronize teams <my-client-name> -t azure

<my-client-name> is the Client Name/Assertion URL/Callback URL that is automatically generated by Codefresh when you save the SSO configuration for your provider.

SSO Client Name

SSO Client Name

Manual team-sync with Codefresh pipelines

As an alternative to manually syncing teams on demand via the Codefresh CLI, you can manually sync teams using Codefresh pipelines.

Make sure that there are no domain restrictions on the email address.

A pipeline makes it possible to run team-sync periodically as a job. You can use the CLI as a freestyle step, as in the example below. You can create a Git repository with a codefresh.yml file with the following content:

version: '1.0'
    title: syncTeams
    image: codefresh/cli
      - 'codefresh synchronize teams my-client-name -t azure'

To fully automate the pipeline, you can set a Csron trigger for it. Depending on how you set up your Cron trigger, you can synchronize your teams every day/week/hour.

Sync GitHub organization teams to Codefresh

As an admin, you may want to sync your GitHub Organization Teams with your Codefresh account. At the same time, you do not want to set up an SSO provider and have the users use any login provider they choose.

The Personal Access Token (PAT) from a user will sync ALL Organizations and ALL Teams to which the user has access. It is recommended to use a “machine” account to access the one organization you need.

  1. Create a PAT that has access to read organizations and teams
  2. Install and configure the Codefresh CLI

    codefresh synchronize teams github -t github --tk $GHTOKEN

  3. The sync will invite all users except for those that have private email settings turned on.

Once the initial sync happens, you can set up a cron trigger pipeline to run the command on a schedule.

Set a default SSO provider for account

If you have multiple SSO providers, you can set one of them as the default provider for your account. Setting a default provider assigns the selected SSO automatically to all new users in the account. The link in the email invitation takes them directly to the login page of that SSO provider.

  1. In the Codefresh UI, go to Single Sign-On.
  2. From the list, select the SSO account to set as default and click the Edit icon on the right.
  3. Scroll down and select Set as default. The Single Sign-on page shows the SSO provider tagged as the default.

Set default SSO provider for account

Set default SSO provider for account

Single Sign-on list showing the default SSO provider

Single Sign-on list showing the default SSO provider

Select SSO provider for individual users

You can override the default SSO provider if set for your account, with a different SSO provider for specific users if so required.

  • New users
    If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization. You can change the SSO provider later.

  • Existing users
    SSO login is not configured by default for existing users. You must explicitly select the SSO provider for existing users.
    If SSO login is already configured for an existing user, and you add a new identity provider, to change the SSO login to the new provider, you must select the new provider for the user.

How to

  1. In the Codefresh UI, on the toolbar, from your avatar dropdown, select Account Settings.
  2. In the sidebar, from Access & Collaboration, select Users & Teams.
  3. For the user, select the SSO provider from the SSO list.

Selecting a different SSO provider for specific user

Selecting a different SSO provider for specific user

Setting up OIDC Federated SSO
Setting up SAML2 Federated SSO
LDAP Single Sign-On (SSO)