Common configuration for SSO providers

Set up team sync, default SSO provider for accounts

Once you create an SSO provider account in Codefresh, you can:

• Automatically or manually sync the teams created in your Identity Provider (IdP) with Codefresh
• Set a default SSO provider for your account
• Override the account-level SSO provider for specific users

Syncing teams in IdPs with Codefresh

Team sync synchronizes all users and teams provisioned in the SSO provider with Codefresh.

In Codefresh you can sync users and teams either automatically or manually:

• Automatically, in the Codefresh UI if the option is supported for your SSO provider
• Manually, either on-demand through the Codefresh CLI, or through a Codefresh pipeline

Team-sync support for SSO providers

The table lists the SSO providers supported and the team-sync option available for them.

Automated team-sync in Codefresh UI

The automated team-sync option is only available in the Codefresh UI.

Flow for automated team-sync

1. Codefresh syncs users and groups through the SSO API, and grants SSO permissions for each invited user during sync.
2. You set up the SSO provider in Codefresh, and select one or both options for automated team-sync:
   • If only the Auto-sync users and teams option is selected, Codefresh automatically triggers a sync at the interval defined. On first-time sign-in, the invited user needs to enter additional information such as First Name, Last Name, Country.
   • If the Activate user option is also selected (when available), on first-time sign-in, the invited user is automatically authenticated without having to enter additional information.

Manual team-sync via CLI

Manually synchronize users and teams provisioned in your SSO provider account, on-demand, through the Codefresh CLI with the synchronize teams command.

NOTE
Make sure that there are no domain restrictions on the email address.

As an example, you can sync your Azure teams with the CLI:

codefresh synchronize teams <my-client-name> -t azure

where:
<my-client-name> is the Client Name/Assertion URL/Callback URL that is automatically generated by Codefresh when you save the SSO configuration for your provider.

Set a default SSO provider for account

If you have multiple SSO providers, you can set one of them as the default provider for your account. Setting a default provider assigns the selected SSO provider automatically to all new users in the account. The link in the email invitation takes them directly to the login page of that SSO provider.

1. In the Codefresh UI, on the toolbar, click the Settings icon.
2. From the sidebar, select Single Sign-On.
3. From the list, select the SSO account to set as default and click the Edit icon on the right.
4. Scroll down and select Set as default. The Single Sign-on page shows the SSO provider tagged as the default.

Select SSO provider for individual users

You can override the default SSO provider if set for the account, with a different SSO provider for specific users if so required.

• New users
  If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization. You can change the SSO provider later.

• Existing users
  SSO login is not configured by default for existing users. You must explicitly select the SSO provider for existing users.
  If SSO login is already configured for an existing user, and you add a new identity provider, to change the SSO login to the new provider, you must select the new provider for the user.

How to

1. In the Codefresh UI, on the toolbar, click the Settings icon.
2. From the sidebar, select Users & Teams.
3. For the user, select the SSO provider from the SSO list.

Related articles

Setting up OIDC Federated SSO
Setting up SAML2 Federated SSO
LDAP Single Sign-On (SSO)