title:"Users and team management"

description:""

description:"Add users and teams to Codefresh accounts"

group:administration

toc:true

Once you have created a Codefresh account, you can add any number of users to collaborate on repositories, workflows, and pipelines, and teams of users.

You can then create teams in Codefresh to group users who share a common denominator, such as the same permissions, access to the same functionality, or roles. Teams make it easy for administrators to both define and manage items shared by multiple users in an orgranization.

Teams are users who share the same permissions, roles, or as requiredby. By default there are two teams,*users*, and*admins* with users[invited as collaborators]({{site.baseurl}}/docs/accounts/invite-your-team-member/).

Teams are users who share the same permissions, roles, or as requiredbased on company processes. By default there are two teams,*users*, and*admins* with users[invited as collaborators]({{site.baseurl}}/docs/accounts/invite-your-team-member/).

Teams allow you to enforce access control through ABAC ().

title:"Set upOAuth2 authentication for Git providers"

title:"OAuth2 authentication for Git providers"

description:""

group:administration

toc:true

Access to Kubernetes clusters behind strict firewalls not accessible from the public internet is governed through authorized IP addresses.

Codefresh provides a list of IP addresses to be configured on clusters to allow access to them.

You can register multiple external clusters to Codefreshruntimes, both hostedandhybrid. Allruntimes require Codefresh platform IPs to be configured on the clusters.

In addition, managed clusters registered tohosted runtimes must be configured with a set of specific IP addresses to authorize access.

You can register multiple external clusters totheCodefreshRunner,andGitOps Runtimes. AllRuntimes require Codefresh platform IPs to be configured on the clusters.

In addition, managed clusters registered toHosted GitOps Runtimes must be configured with a set of specific IP addresses to authorize access.

All the IPs are NAT gateways, and need to enable specific IPs instead of ranges.

- 44.238.167.159

- 44.237.63.217

- 34.207.5.18

- 34.232.79.230

- 44.193.43.5

Clusters must be configured with API access to the authorized Codefresh IPs.

If you haven't configured your clusters with the required IPs, use the links below to complete the configuration for the clusters listed:

[GKE (Google Kubernetes Engine)](https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters){:target="\_blank"}

[Set up a hosted (Hosted GitOps) environment]({{site.baseurl}}/docs/runtime/hosted-runtime/)

[Install hybrid runtimes]({{site.baseurl}}/docs/runtime/installation/)

[Codefresh architecture]({{site.baseurl}}/docs/getting-started/architecture/)

[Codefresh Runner installation]({{site.baseurl}}/docs/installation/codefresh-runner/)

[Set up a Hosted GitOps Runtime]({{site.baseurl}}/docs/installation/hosted-runtime/)

[Install Hybrid GitOps Runtimes]({{site.baseurl}}/docs/runtime/hybrid-gitops/)

title:"OpenID Connect"

description:"Setting UpOpenID ConnectFederated Single Sign-On (SSO)"

title:"Setting upOpenID Connect (OIDC) Federated Single Sign-On (SSO)"

description:"OpenID Connect SSO setup"

group:single-sign-on

toc:true

Codefresh natively supports login using GitHub, Bitbucket and GitLab using the OpenID Connect (OAUTH 2.0) protocol. This guide will review how to add SSO integrations based on OAUTH 2.0 as part of Codefresh Enterprise plan.

Codefresh natively supports login using GitHub, Bitbucket and GitLab using the OpenID Connect (OAuth2) protocol.

In order toadd successfully an identityProvider in Codefresh you need to do some preparatory work with both Codefresh and the provider.

Toadd successfully an identityprovider (IdP) in Codefresh you need to do some preparatory work with both Codefresh and the provider.

1. You need to inform yourIdentify provider that it will provide SSO services to Codefresh

1. You need to set up Codefresh and point it to yourIdentity Provider.

1. You need to inform yourIdP that it will provide SSO services to Codefresh

1. You need to set up Codefresh and point it to yourIdP.

The first procedure differs according to you Identity Provider, but the second one is common for all providers.

Note thatSSO is only available to Enterprise customers. Please[contact sales](https://codefresh.io/contact-sales/) in order to enable it for your Codefresh account.

* Auth0

* Azure

* Google

* Okta

* OneLogin

1. Configure SSO settings for the IdP in Codefresh:

This generally includes defining settings both in Codefresh and in the IdP.

Codefresh supports OIDC SSO for the following:

*[Auth0]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-auth0/)

*[Azure]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-azure/)

*[Google]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-google/)

*[Okta]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-okta/)

*[OneLogin]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-onelogin/)

To access the SSO configuration at the account level.

1. Test integration with the IdP

1. Click on your avatar at the top right of the GUI and select*Account settings*.

1. In the new screen, select*Single Sign-on* from the left sidebar.

{% include image.html

lightbox="true"

file="/images/administration/sso/add-sso-dropdown.png"

url="/images/administration/sso/add-sso-dropdown.png"

alt="SSO provider settings"

caption="SSO provider settings"

max-width="70%"

%}

{:start="3"}

1. To connect an Identity Provider, click the*add single-sign-on* button and select your provider from the drop-down menu.

Regardless of the Identity Provider that you have chosen, the setup in Codefresh is similar for all of them. You need to provide several fields to Codefresh to activate SSO. The common ones are:

**Display Name* - A name for your Identity Provider

**Client ID* - An ID that will be used for the connection

**Client Secret* - A secret associated with the ID

Some providers also need additional fields which are specific to that provider.

The process to obtain the values for these fields depends on the individual Identity Provider. In the following

sections we will outline the details for each one.

See the[Auth0 instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-auth0/).

See the[Azure instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-azure/).

See the[Google instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-google/).

See the[Okta instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-okta/).

See the[OneLogin instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-onelogin/).

Once you set up the Identity Provider, do the following

1. Go to the collaborators screen by clicking on*People* on the left sidebar (under User Management).

1. Add an active user that will be used for testing. We recommend you use your own user.

1. Change Login method by selecting your Auth provider from the SSO drop-down.

1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**Account Settings**.

1. From the sidebar, below Access & Collaboration, select[**Users & Teams**](https://g.codefresh.io/2.0/account-settings/single-sign-on){:target="\_blank"}.

1. Add an active user to be used for testing. We recommend you use your own user.

1. Change Login method by selecting your Auth provider from the SSO drop-down.

{% include image.html

lightbox="true"

max-width="70%"

%}

1. Keep the current browser session open, and log in via Corporate SSO in an incognito tab (or another browser).

{:start="5"}

1. Keep the current browser session open, and log in via Corporate SSO in an incognito tab (or another browser).

{% include image.html

lightbox="true"

max-width="50%"

%}

1. If everything works, add more users.

To add users and select their SSO method, go to*Collaborators* from the left sidebar. Then add the email or Codefresh username of a user.

In addition to their role you can now select the SSO method they will use

{% include image.html

lightbox="true"

file="/images/administration/sso/select-user-sso.png"

url="/images/administration/sso/select-user-sso.png"

alt="Selecting SSO method"

caption="Selecting SSO method"

max-width="50%"

%}

**SSO login for new and existing users**

If you have multiple SSO providers configured, you can select a different provider for each user if so required.

* New users

If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization.

* Existing users

SSO login is not configured by default for existing users. You must_explicitly select_ the SSO provider for existing users.

If SSO login is already configured for an existing user, and you add a new identity provider, to change the SSO login to the new provider, you must_select_ the new provider for the user.

If you have multiple SSO providers set you can hover your mouse on the top right of the SSO screen

and setup one of them as the default provider.

{% include image.html

lightbox="true"

file="/images/administration/sso/default-sso.png"

url="/images/administration/sso/default-sso.png"

alt="Default SSO provider"

caption="Default SSO provider"

max-width="90%"

%}

If a default sso provider is set then:

1. This SSO method will be automatically assigned to all new invited users

1. All new users will receive an email with an invite link that points them directly to the login page of that SSO provider

Once the initial setup is done, you can also sync your teams between Codefresh and the Identity provider.

You can do this via the[Codefresh Cli](https://codefresh-io.github.io/cli/) and specifically the[sync command](https://codefresh-io.github.io/cli/teams/synchronize-teams/).

For example, to sync you azure teams you can execute

codefresh synchronize teams my-client-name -t azure

You can find the client-name from the SSO UI.

{% include image.html

lightbox="true"

file="/images/administration/sso/azure/client-name.png"

url="/images/administration/sso/azure/client-name.png"

alt="SSO Client Name"

caption="SSO Client Name"

max-width="40%"

%}

Even though you can run this command manually it makes more sense to run it periodically as a job. And the obvious

way to perform this, is with a Codefresh pipeline. The CLI can be used as a[freestyle step]({{site.baseurl}}/docs/codefresh-yaml/steps/freestyle/).

You can create a git repository with a[codefresh.yml]({{site.baseurl}}/docs/codefresh-yaml/what-is-the-codefresh-yaml/) file with the following contents:

{% highlight yaml %}

{% raw %}

version: '1.0'

steps:

syncMyTeams:

title: syncTeams

image: codefresh/cli

commands:

- 'codefresh synchronize teams my-client-name -t azure'

{% endraw %}

{% endhighlight %}

1. (Optional)[Set an IdP as the default provider]({{site.baseurl}}/docs/single-sign-on/team-sync/#set-a-default-sso-provider-for-account)

You can select an IdP as the default SSO provider for a Codefresh account. This means that all the new users added to that account will automatically use the selected IdP for signin.

1. (Optional)[Set the SSO method for each user]({{site.baseurl}}/docs/single-sign-on/team-sync/#select-sso-method-for-individual-users)

You can also select if needed, a different SSO provider for every user or for specific users.

To fully automate this pipeline you should set a[cron trigger]({{site.baseurl}}/docs/configure-ci-cd-pipeline/triggers/cron-triggers/) for this pipeline. The cron-trigger will be responsibleforrunning this pipeline (and therefore synchronizing the teams) in a fully automated manner.

This way you can synchronize your teams every day/week/hour depending on you cron trigger setup.

[Federated Single Sign-On (SSO) overview]({{site.baseurl}}/docs/administration/single-sign-on)

Here's what you need to do to configure SSO via SAML in Codefresh:

1. Configure SSO settings for the IdP in Codefresh:

This generally includes defining settings in Codefresh and in the IdP.

This generally includes defining settings inboth inCodefresh and in the IdP.

Codefresh supports SAML SSO for the following:

*[JumpCloud]({{site.baseurl}}/docs/administration/single-sign-on/saml/saml-jumpcloud)

*[Okta]({{site.baseurl}}/docs/administration/single-sign-on/saml/saml-okta)

1. Test integration

Test the integrations to verify the connection settings.

1. Set an IdP as the default provider

1. Set the SSO for each user

1. Test integration with the IdP

1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**Account Settings**.

1. From the sidebar, below Access & Collaboration, select[**Users & Teams**](https://g.codefresh.io/2.0/account-settings/single-sign-on){:target="\_blank"}.

1. Add an active user to be used for testing. We recommend you use your own user.

1. Change Login method by selecting your Auth provider from the SSO drop-down.

{% include image.html

lightbox="true"

file="/images/administration/sso/collaborators.png"

url="/images/administration/sso/collaborators.png"

alt="Adding collaborators"

caption="Adding collaborators"

max-width="70%"

%}

{:start="5"}

1. Keep the current browser session open, and log in via Corporate SSO in an incognito tab (or another browser).

{% include image.html

lightbox="true"

file="/images/administration/sso/sign-with-sso.png"

url="/images/administration/sso/sign-with-sso.png"

alt="Sign-in with SSO"

caption="Sign-in with SSO"

max-width="50%"

%}

1. (Optional)[Set an IdP as the default provider]({{site.baseurl}}/docs/single-sign-on/team-sync/#set-a-default-sso-provider-for-account)

You can select an IdP as the default SSO provider for a Codefresh account. This means that all the new users added to that account will automatically use the selected IdP for signin.

1. (Optional)[Set the SSO method for each user]({{site.baseurl}}/docs/single-sign-on/team-sync/#select-sso-method-for-individual-users)

You can also select if needed, a different SSO provider for every user or for specific users.

*[Selecting SSO method for collaborators]({{site.baseurl}}/docs/administration/single-sign-on/sso-setup-oauth2/#selecting-sso-method-for-collaborators) -->

[Federated Single Sign-On (SSO) overview]({{site.baseurl}}/docs/administration/single-sign-on)