localurl:/docs/new-helm/integration-tests-with-helm/

-title:Best Practices

localurl:/docs/new-helm/best-practices/

-title:"Single Sign-On"

new:true

icon:https://codefresh.io/wp-content/uploads/2017/11/started.png

url:''

links:

-title:Federated Single Sign-On Overview

localurl:/docs/sso/federated-sso-overview

-title:Setting Up SAML2 Federated Single Sign-On (SSO)

localurl:/docs/sso/sso-setup-saml2

-title:Setting Up OpenID Connect Federated Single Sign-On (SSO)

localurl:/docs/sso/sso-setup-oauth2

-title:"Codefresh CLI"

new:true

icon:https://codefresh.io/wp-content/uploads/2018/01/cli.png

-title:Git providers

url:"/git-providers"

sub-pages:

-title:Integration with self-hosted (on-prem) git providers

url:"/integrating-codefresh-with-on-premises-git-providers"

-title:Activate integration with your self hosted Git server

url:"/activate-integration-with-your-self-hosted-git-server"

-title:Configure a Bitbucket Server Webhook

-title:Jenkins Integration

url:"/jenkins-integration"

-title:Single Sign-On

url:"/sso"

pages:

-title:Federated Single Sign-On Overview

url:"/federated-sso-overview"

-title:Setting Up SAML2 Federated Single Sign-On (SSO)

url:"/sso-setup-saml2"

-title:Setting Up OpenID Connect Federated Single Sign-On (SSO)

url:"/sso-setup-oauth2"

-title:Accounts

url:"/accounts"

pages:

title:"Integration with self-hosted (on-prem) git providers"

description:""

group:integrations

sub_group:git-providers

redirect_from:

-/docs/integrating-codefresh-with-on-premises-git-providers/

toc:true

Basically there are two scenarios of configuring Codefresh to work with On-prem git providers:

1.**Codefresh SaaS** with self-hosted git providers.

2.**Codefresh On-Prem** with self-hosted git providers.

{{site.data.callout.callout_info}}

If you already have accounts and users created for SaaS git provider types, you will need to create a**separate account and users specifically for self-hosted** type of git provider. This is related to a generic restriction –**one account per git provider**. For instance, SaaS GitHub and On-prem GitHub are considered as two different git providers in terms of integration with Codefresh

{{site.data.callout.end}}

If you use Codefresh SaaS, you need to request Codefresh team to create an account for you. Please follow[this guide.](https://docs.codefresh.io/docs/activate-integration-with-your-self-hosted-git-server)

If you intend to**add more users** to this account:

{:start="1"}

1. Ask Codefresh team to create the users for you, giving the emails on which you will receive activation letters.

{:start="2"}

2. When the needed users are created, you can add them into your account on the**`Account Settings`→`Collaborators`** page.

There you can assign roles to the users and delete them from the collaborators list later if needed.

{:start="1"}

1. Login to Codefresh with the user that has**`Admin` role** (not the`Account Admin` role)

{:start="2"}

2. Create an account with the corresponding on-prem git provider. For that go to the**`Admin Management`→`Accounts`** page, click on the*`plus`* button and select the needed on-prem git provider (Stash, GitHub OnPrem, GitLab OnPrem):

{% highlight html %}

{% raw %}

<figurealign="center">

<ahref="https://files.readme.io/5f1f234-Screenshot_from_2018-02-09_14-57-21.png"class="block-display-image-parent block-display-image-size-original">

</a>

</figure>

{% endraw %}

{% endhighlight %}

{:start="3"}

3. Create a user and link it with the account. For that go to the**`Admin Management`&#8594;`Users`** page, click on the*`Create new user`* button, fill in the username and email, select the on-prem git provider (the same as for the account), select the name of the account you created above, click the*`Add`* button.

{% highlight html %}

{% raw %}

<figurealign="center">

<ahref="https://files.readme.io/ffc028a-Screenshot_from_2018-02-09_15-33-09.png"class="block-display-image-parent block-display-image-size-smart">

</a>

</figure>

{% endraw %}

{% endhighlight %}

Click on the*`Set the user as admin of this account`*.

{:start="4"}

4. On the same*`Users`* page find the created user, click on the button under*`Provider`* column, click*`plus`* in front of*`local`*, enter the password, click on the`Save` icon.

{% include image.html lightbox="true" file="/images/63a4059-Screenshot_from_2018-02-09_15-35-38.png" url="/images/63a4059-Screenshot_from_2018-02-09_15-35-38.png" alt="Screenshot from 2018-02-09 15-35-38.png" max-width="100%" %}

{:start="5"}

5. On the same*`Users`* page change the status of the user from*`Pending`* to*`Active`*.

{:start="6"}

6. Login to Codefresh with the created user. For that you should go to the login page (`https://<yourcodefreshhostname>/login`), click on the*`On Premise Codefresh`* button and enter the credentials.

{:start="7"}

7. After you have logged in you will need to integrate your git provider server with Codefresh. For that go to**`Account Settings`&#8594;`Integration`**, where you will find option to add your git provider server.

If you intend to add more users to this account repeat the steps above from 3 to 5.

{{site.data.callout.callout_info}}

The relationship between users and accounts is**"many-to-many"**: a user can be linked with multiple accounts and vice-versa - an account can be linked with many users.

{{site.data.callout.end}}

Visit[this page](https://github.com/codefresh-io/cronus/blob/master/docs/expression.md) to learn about supported`cron` expression format and aliases.

Now,link previously defined`cron``trigger-event` to one ore more Codefresh pipelines.

Now,lets create a new pipeline trigger, linking previously defined`cron``trigger-event` to one ore more Codefresh pipelines.

codefreshlink"cron:codefresh:codefresh:0 */20 * * * *:hello-once-in-20-min:107e9db97062" 7a5622e4b1ad5ba0018a3c9c

codefreshcreate trigger"cron:codefresh:codefresh:0 */20 * * * *:hello-once-in-20-min:107e9db97062" 7a5622e4b1ad5ba0018a3c9c

codefreshlink"cron:codefresh:codefresh:0 */20 * * * *:hello-once-in-20-min:107e9db97062" 4a5634e4b2cd6baf021a3c0a

codefreshcreate trigger"cron:codefresh:codefresh:0 */20 * * * *:hello-once-in-20-min:107e9db97062" 4a5634e4b2cd6baf021a3c0a

From now on, every 20 minutes Codefresh will trigger pipeline execution for 2 pipeline linked to the previously specified`cron``trigger-event` (once in 20 minutes)

title:"Federated Single Sign-On (SSO) Overview"

description:""

group:sso

permalink:/:collection/sso/federated-sso-overview/

toc:true

Customers in our**enterprise plan** (please[contact sales](https://codefresh.io/contact-sales/) to learn more) can log in to Codefresh using Federated Single Sign-On (SSO).

Federated identity management enables the cross organizational exchange of identity information across Internet domains, without migrating credential information or consolidating several security domains. With federation, Codefresh customers can authenticate with their corporate credentials to gain access to Codefresh.

This means that you will be able to access your Codefresh account by signing with your corporate credentials.

To set up Federated SSO, your organization identity management must use either of the following:

-**A security Assertion Markup Language 2.0 (SAML 2.0)** compliant Identity Provider (IdP) that is configured to communicate with Codefresh Service Provider (SP). For example, ADFS, Auth0, Okta and Ping Identity.

-**OpenID Connect (OAuth 2.0)** identity mangement. For example, Google, Github, Bitbucket and Gitlab.

This enables seamless SSO from a browser, by asserting the identity of the user to Codefresh.

A SAML2 based federated system comprises the following main components:

-**Identity Provider (IdP)** – The identity provider belongs in the corporation that manages accounts for a large number of users who need secure Internet access to the services or Web- based applications of another organization. In our case a customer's organization that requires access to Codefresh.

- The IdP manages the corporate users, and integrates with Identity Management systems in the customers organization responsible for authentication. The Identity Management systems will integrate with authentication providers such as LDAP or AD.

- All user authentication is carried out via Identity Management systems integrated with the IdP

- For successfully authenticated users, the IdP sends a SAML assertion to Codefresh service provider that enables the user to access Codefresh.

-**Service Provider (SP)** – An SP belongs in the SaaS provider that wants to provide access to its web applications and services.

- The SP trusts a corporate IdP to manage users and the authentication process.

- The SP does not manage an organization’s users, but it trusts the IdP to manage user authentication.

A trust must be set up between the customer IdP and Codefresh SP. Once a trust has been set up and a user has been authenticated via the IdP using corporate credentials, the user can access Codefresh.

{:.text-secondary}

Using federated SSO significantly simplifies cross-domain user management as follows:

- You use your corporate credentials to access Codefresh.That means you can access all your systems with one password.

- There is no need to migrate identity information or consolidate between the two security domains.

- Corporate credentials aren't exposed to the SaaS provider.

title:"Setting Up OpenID Connect Federated Single Sign-On (SSO)"

description:""

group:sso

permalink:/:collection/sso/sso-setup-oauth2/

toc:true

Codefresh natively supports login using Github, Bitbucket and Gitlab using OpenID Connect (OAUTH 2.0) protocol.

For additional login integrations based on OAUTH 2.0, like using google identities, you'll need to provide Codefresh your client ID and client secret.

title:"Setting Up SAML2 Federated Single Sign-On (SSO)"

description:""

group:sso

permalink:/:collection/sso/sso-setup-saml2/

toc:true

As IdPs come in all shapes and sizes, the following topic discusses in general what you must do to configure Federated SSO.

As you will see in the description below, the person in your organization responsible for managing your IdP will need to interact with Codefresh support team to successfully set up a trust between your IdP and Codefresh SP.

{:.text-secondary}

1. Have your account set up with Codefresh enterprise plan

2. Ensure you have a working SAML 2.0 compliant Identity Provider (IdP).

3. Identify someone in your organization who is familiar with configuring and managing your organization's IdP.

4. Ensure that your IdP's system clock is synchronized with a reliable time source. If it is not, tokens generated will be unusable and SSO will fail.

{:.text-secondary}

{% include image.html

lightbox="true"

file="/images/sso-flow.png"

url="/images/sso-flow.png"

alt="sso-flow.png"

max-width="100%"

%}

{:.text-secondary}

Codefresh expects the following user attributes to be passed through SAML between your Idp and Codefresh SP:

- User email address

- User first name

- User last name

- User full name

- User unique id that isn't subject to change in your identity managment environment

{:.text-secondary}

{% include image.html

lightbox="true"

file="/images/sso-diagram.png"

url="/images/sso-diagram.png"

alt="sso-diagram.png"

max-width="100%"

%}

Once Federated SSO has been configured, the process works as follows:

<divclass="bd-callout bd-callout-info"markdown="1">

Note

Steps 2 to 7 happen in the background, and are transparent to the user.

</div>

1. A user logs in to Codefresh and enters their email

2. The user is redirected to Codefresh Service Provider (SP) to initiate SSO.

3. The user’s browser is then redirected to the customer IdP.

4. Once authenticated by the corporate side, a SAML token is sent to the user’s browser.

5. The SAML assertion is then forwarded to Codefresh SP.

6. If you are a valid Codefresh user for this SSO connection, an SSO token is returned to the user’s browser.

7. The user’s browser then returns a token to Codefresh and access is granted for your account.

{% endif %}

<mainclass="col-12 col-md-8 {% if page.toc == true %}col-xl-6 col-xxl-6{% else %}col-xl-9 col-xxl-9{% endif%} py-3 pl-3 bd-content"role="main">

<divclass="bd-content-inner py-md-3 pl-4 pl-md-5 pr-4">

<divclass="bd-content-inner py-md-3 pl-4 pl-md-5 pr-4 pr-md-5">

<h1class="bd-title"id="content">{{ page.title | smartify }}</h1>

<pclass="bd-lead">{{ page.description | smartify }}</p>

{{ content }}