-title:Jenkins Integration

url:"/jenkins-integration"

-title:Single Sign-On

url:"/sso"

pages:

-title:Federated Single Sign-On Overview

url:"/federated-sso-overview"

-title:Setting Up SAML2 Federated Single Sign-On (SSO)

url:"/sso-setup-saml2"

-title:Setting Up OpenID Connect Federated Single Sign-On (SSO)

url:"/sso-setup-oauth2"

-title:Accounts

url:"/accounts"

pages:

title:"Federated Single Sign-On (SSO) Overview"

description:""

group:sso

permalink:/:collection/sso/federated-sso-overview/

toc:true

Federated identity management enables the cross organizational exchange of identity information across Internet domains, without migrating credential information or consolidating several security domains. With federation, Codefresh customers can authenticate with their corporate credentials to gain access to Codefresh.

Customers in our**enterprise plan** can log in to Codefresh using Federated Single Sign-On (SSO). This means that you will be able to access your Codefresh account by signing with your corporate credentials.

To set up Federated SSO, your organization identity management must use either of the following:

-**A security Assertion Markup Language 2.0 (SAML 2.0)** compliant Identity Provider (IdP) that is configured to communicate with Codefresh Service Provider (SP). For example, ADFS, Auth0, Okta and Ping Identity.

-**OpenID Connect (OAuth 2.0)** identity mangement. For example, Google, Github, Bitbucket and Gitlab.

This enables seamless SSO from a browser, by asserting the identity of the user to Codefresh.

A SAML2 based federated system comprises the following main components:

-**Identity Provider (IdP)** – The identity provider belongs in the corporation that manages accounts for a large number of users who need secure Internet access to the services or Web- based applications of another organization. In our case a customer's organization that requires access to Codefresh.

- The IdP manages the corporate users, and integrates with Identity Management systems in the customers organization responsible for authentication. The Identity Management systems will integrate with authentication providers such as LDAP or AD.

- All user authentication is carried out via Identity Management systems integrated with the IdP

- For successfully authenticated users, the IdP sends a SAML assertion to Codefresh service provider that enables the user to access Codefresh.

-**Service Provider (SP)** – An SP belongs in the SaaS provider that wants to provide access to its web applications and services.

- The SP trusts a corporate IdP to manage users and the authentication process.

- The SP does not manage an organization’s users, but it trusts the IdP to manage user authentication.

A trust must be set up between the customer IdP and Codefresh SP. Once a trust has been set up and a user has been authenticated via the IdP using corporate credentials, the user can access Codefresh.

{:.text-secondary}

Using federated SSO significantly simplifies cross-domain user management as follows:

- You use your corporate credentials to access Codefresh.That means you can access all your systems with one password.

- There is no need to migrate identity information or consolidate between the two security domains.

- Corporate credentials aren't exposed to the SaaS provider.

title:"Setting Up OpenID Connect Federated Single Sign-On (SSO)"

description:""

group:sso

permalink:/:collection/sso/sso-setup-oauth2/

toc:true

Codefresh natively supports login using Github, Bitbucket and Gitlab using OpenID Connect (OAUTH 2.0) protocol.

For additional login integrations based on OAUTH 2.0, like using google identities, you'll need to provide Codefresh your client ID and client secret.

title:"Setting Up SAML2 Federated Single Sign-On (SSO)"

description:""

group:sso

permalink:/:collection/sso/sso-setup-saml2/

toc:true

As IdPs come in all shapes and sizes, the following topic discusses in general what you must do to configure Federated SSO.

As you will see in the description below, the person in your organization responsible for managing your IdP will need to interact with Codefresh support team to successfully set up a trust between your IdP and Codefresh SP.

{:.text-secondary}

1. Have your account set up with Codefresh enterprise plan

2. Ensure you have a working SAML 2.0 compliant Identity Provider (IdP).

3. Identify someone in your organization who is familiar with configuring and managing your organization's IdP.

4. Ensure that your IdP's system clock is synchronized with a reliable time source. If it is not, tokens generated will be unusable and SSO will fail.

{:.text-secondary}

{% include image.html

lightbox="true"

file="/images/sso-flow.png"

url="/images/sso-flow.png"

alt="sso-flow.png"

max-width="100%"

%}

{:.text-secondary}

Codefresh expects the following user attributes to be passed through SAML between your Idp and Codefresh SP:

- User email address

- User first name

- User last name

- User full name

- User unique id that isn't subject to change in your identity managment environment

{:.text-secondary}

{% include image.html

lightbox="true"

file="/images/sso-diagram.png"

url="/images/sso-diagram.png"

alt="sso-diagram.png"

max-width="100%"

%}

Once Federated SSO has been configured, the process works as follows:

<divclass="bd-callout bd-callout-info"markdown="1">

Note

Steps 2 to 7 happen in the background, and are transparent to the user.

</div>

1. A user logs in to Codefresh and enters their email

2. The user is redirected to Codefresh Service Provider (SP) to initiate SSO.

3. The user’s browser is then redirected to the customer IdP.

4. Once authenticated by the corporate side, a SAML token is sent to the user’s browser.

5. The SAML assertion is then forwarded to Codefresh SP.

6. If you are a valid Codefresh user for this SSO connection, an SSO token is returned to the user’s browser.

7. The user’s browser then returns a token to Codefresh and access is granted for your account.