Synchronize Teams

Syncing of Teams After Initial SSO Setup

Overview

Once the initial setup is done, you can also sync your teams between Codefresh and the Identity provider. You can do this via the Codefresh Cli and specifically the sync command.

Note: Team Sync is available for OIDC Providers. Syncing with SAML is available with Google only.

For example, to sync you azure teams you can execute

codefresh synchronize teams my-client-name -t azure

You can find the client-name from the SSO UI.

SSO Client Name

SSO Client Name

Even though you can run this command manually it makes more sense to run it periodically as a job. And the obvious way to perform this, is with a Codefresh pipeline. The CLI can be used as a freestyle step.

You can create a git repository with a codefresh.yml file with the following contents:

version: '1.0'
steps:
  syncMyTeams:
    title: syncTeams
    image: codefresh/cli
    commands:
      - 'codefresh synchronize teams my-client-name -t azure'

To fully automate this pipeline you should set a cron trigger for this pipeline. The cron-trigger will be responsible for running this pipeline (and therefore synchronizing the teams) in a fully automated manner.

This way you can synchronize your teams every day/week/hour depending on you cron trigger setup.

Synchronize Teams Not Inviting New Users

When running the codefresh synchronize teams command, new users will not be invited to Codefresh. The output of the command will look similar to the following:

[
  {
    "action": "update",
    "teams": [
      {
        "team": "developers",
        "members": [
          {
            "members": [],
            "action": "create"
          }
        ]
      },
      {
        "team": "DevOps",
        "members": [
          {
            "members": [],
            "action": "create"
          }
        ]
      }
    ]
  }
]

The cause of this is the “Restrict inviting additional users by email address domain” is enabled for the account.

  1. Navigate to Account Settings > User & Teams > Security
  2. Toggle off “Restrict inviting additional users by email address domain.”
  3. Save.
  4. Rerun the sync command.

Sync GitHub Organization Teams to Codefresh

As an admin, you may want to sync your GitHub Organization Teams with your Codefresh account. At the same time, you do not want to set up an SSO provider and have the users use any login provider they choose.

The Personal Access Token (PAT) from a user will sync ALL Organizations and ALL Teams to which the user has access. It is recommended to use a “machine” account to access the one organization you need.

  1. Create a PAT that has access to read organizations and teams
  2. Install and configure the Codefresh CLI

    codefresh synchronize teams github -t github --tk $GHTOKEN

  3. The sync will invite all users except for those that have private email settings turned on.

Once the initial sync happens, you can set up a cron trigger pipeline to run the command on a schedule.