You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _docs/single-sign-on/team-sync.md
+89-35Lines changed: 89 additions & 35 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,36 +1,67 @@
1
1
---
2
2
title:Common configuration for SSO providers
3
-
description:"Team sync, default SSO provider for accounts"
3
+
description:"Set up team sync, default SSO provider for accounts"
4
4
group:single-sign-on
5
5
toc:true
6
6
---
7
7
8
8
Once you create an SSO provider account in Codefresh, you can:
9
-
* Automatically or manually syncbetweenthe teams created inCodefresh andyour Identity Provider (IdP)
9
+
* Automatically or manually sync the teams created in your Identity Provider (IdP) with Codefresh
10
10
* Set a default SSO provider for your account
11
11
* Override the account-level SSO provider for specific users
12
12
13
13
14
-
##Syncing teamswith IdPs
15
-
Team sync synchronizes all usersof the team with theIdP.
14
+
##Syncing teamsin IdPs with Codefresh
15
+
Team sync synchronizes all usersand teams provisioned in theSSO provider with Codefresh.
16
16
17
-
Youcan sync teams:
18
-
* Automatically, in the Codefresh UIwhen you set uptheSSO account for the IdP, through the**Auto-sync team**option. For details, see the SSOsetup for your IdP.
19
-
* Manually, through the Codefresh CLI's[synchronize teams command](https://codefresh-io.github.io/cli/teams/synchronize-teams/){:target="\_blank"}.
17
+
In Codefresh youcan syncusers andteams either automatically or manually:
18
+
* Automatically, in the Codefresh UIifthe option is supported for your SSOprovider
19
+
* Manually,either on-demandthrough the Codefresh CLI, or through a Codefresh pipeline
20
20
21
-
##Team Sync and Invite Workflow
22
21
23
-
This is the general workflow when users are synced to Codefresh and users get invited to the account.
24
22
25
-
1. Users get added to the group / given permission to access the SSO Integration on the IDP side.
26
-
1. Codefresh will Auto Sync with your SSO (if enabled) or you can manually sync.
27
-
1. Users will get added to Codefresh as an invited user.
28
-
1. Users will need to wait for the invite email to be received to prevent the creation of a personal account.
29
-
* You can verify that they are invited under Users & Teams with the status of "pending".
30
-
* When signing in before the invite, users must follow the personal account creation workflow before getting access to the invited account.
31
-
1. Once the email is received, they can log in using the link in the email or use the Corporate SSO option on the login page.
23
+
###Team-sync support in Codefresh for SSO providers
24
+
The table lists the SSO providers supported in Codefresh and the team-sync option available for them.
The automated team-sync option is only available in the Codefresh UI.
48
+
This is the general workflow for automated team-sync in Codefresh:
49
+
50
+
1. Codefresh syncs users and groups through the SSO API, and grants SSO permissions for each invited user during sync.
51
+
1. You set up the SSO provider in Codefresh, and select one or both options for automated team-sync:
52
+
* If only the**Auto-sync users and teams** option is selected, Codefresh automatically triggers a sync at the interval defined. On first-time sign-in, the invited user needs to enter additional information such as First Name, Last Name, Country.
53
+
* If the**Activate user** option is also selected (when available), on first-time sign-in, the invited user is automatically authenticated without having to enter additional information.
54
+
55
+
56
+
57
+
58
+
###Manual team-sync via CLI
59
+
60
+
Manually synchronize users and teams provisioned in your SSO provider account, on-demand, through the Codefresh CLI with the[`synchronize teams`](https://codefresh-io.github.io/cli/teams/synchronize-teams/){:target="\_blank"} command.
61
+
62
+
63
+
>**NOTE**:
64
+
>Make sure that there are no[domain restrictions on the email address](#manual-team-sync-and-email-domain-restrictions).
34
65
35
66
As an example, you can sync your Azure teams with the CLI:
36
67
@@ -41,7 +72,8 @@ where:
41
72
`<my-client-name>` is the Client Name/Assertion URL/Callback URL that is automatically generated by Codefresh when you save the SSO configuration for your provider.
Though you can run this command manually it makes more sense to run it periodically as a job. And the obvious
55
-
way to perform this is with a Codefresh pipeline. The CLI can be used as a[freestyle step]({{site.baseurl}}/docs/pipelines/steps/freestyle/).
56
86
87
+
###Manual team-sync with Codefresh pipelines
88
+
89
+
As an alternative to manually syncing teams on demand via the Codefresh CLI, you can manually sync teams using Codefresh pipelines.
90
+
91
+
>**NOTE**:
92
+
>Make sure that there are no[domain restrictions on the email address](#manual-team-sync-and-email-domain-restrictions).
93
+
94
+
A pipeline makes it possible to run team-sync periodically as a job. You can use the CLI as a[freestyle step]({{site.baseurl}}/docs/pipelines/steps/freestyle/), as in the example below.
57
95
You can create a Git repository with a[codefresh.yml]({{site.baseurl}}/docs/pipelines/what-is-the-codefresh-yaml/) file with the following content:
58
96
59
97
```yaml
@@ -66,10 +104,11 @@ steps:
66
104
-'codefresh synchronize teams my-client-name -t azure'
67
105
```
68
106
69
-
To fully automatethis pipeline, youshould set a [cron trigger]({{site.baseurl}}/docs/pipelines/triggers/cron-triggers/) for it. Depending on how you set up your Cron trigger, you can synchronize your teams every day/week/hour.
107
+
To fully automatethe pipeline, youcan set a [cron trigger]({{site.baseurl}}/docs/pipelines/triggers/cron-triggers/) for it. Depending on how you set up your Cron trigger, you can synchronize your teams every day/week/hour.
70
108
71
-
### CLI sync and email domain restrictions
72
-
If the`Restrict inviting additional users by email address domain` is enabled for your account, running the `synchronize teams` command via the CLI, _does not invite new users_ to Codefresh.
109
+
110
+
### Manual team-sync and email domain restrictions
111
+
If the`Restrict inviting additional users by email address domain` is enabled for your account, manual sync via the CLI or via a pipeline, _does not invite new users_ to Codefresh.
73
112
The output of the command will be similar to the following:
74
113
75
114
```json
@@ -102,13 +141,13 @@ The output of the command will be similar to the following:
102
141
103
142
**Turn off the domain restriction**:
104
143
105
-
1. In the Codefresh UI,from your avatar dropdown,click **AccountSettings**.
144
+
1. In the Codefresh UI, click **Settings**.
106
145
1. In the sidebar, from Access & Collaboration, select **User & Teams**, and then click the **Security** tab.
107
146
1. Turn off **Restrict inviting additional users by email address domain**.
108
147
1. Click **Save**.
109
148
1. Rerun the CLI sync command.
110
149
111
-
### Sync GitHubOrganization Teams to Codefresh
150
+
### Sync GitHuborganization teams to Codefresh
112
151
113
152
As an admin, you may want to sync your GitHub Organization Teams with your Codefresh account. At the same time, you do not want to set up an SSO provider and have the users use any login provider they choose.
114
153
@@ -131,22 +170,36 @@ Setting a default provider assigns the selected SSO automatically to all new use
131
170
1. In the Codefresh UI, go to [Single Sign-On](https://g.codefresh.io/2.0/account-settings/single-sign-on).
132
171
1. From the list, select the SSO account to set as default and click the **Edit** icon on the right.
133
172
1. Scroll down and select **Set as default**.
134
-
<!---change screenshot
135
-
{% include image.html
173
+
174
+
{% include
175
+
image.html
136
176
lightbox="true"
137
177
file="/images/administration/sso/default-sso.png"
138
178
url="/images/administration/sso/default-sso.png"
139
-
alt="Default SSO provider"
140
-
caption="Default SSO provider"
141
-
max-width="90%"
142
-
%} -->
179
+
alt="Set default SSO provider for account"
180
+
caption="Set default SSO provider for account"
181
+
max-width="50%"
182
+
%}
183
+
184
+
The Single Sign-on page shows the SSO provider tagged as the default.
alt="Single Sign-on list showing the default SSO provider"
192
+
caption="Single Sign-on list showing the default SSO provider"
193
+
max-width="60%"
194
+
%}
143
195
144
196
145
197
## Select SSO provider for individual users
146
198
147
199
You can override the default SSO provider if set for your account, with a different SSO provider for specific users if so required.
148
200
* New users
149
-
If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization.
201
+
If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization.
202
+
You can change the SSO provider later.
150
203
151
204
* Existing users
152
205
SSO login is not configured by default for existing users. You must _explicitly select_ the SSO provider for existing users.
@@ -156,12 +209,13 @@ You can override the default SSO provider if set for your account, with a differ
156
209
1. In the sidebar, from Access & Collaboration, select [**Users & Teams**](https://g.codefresh.io/account-admin/collaborators/users){:target="\_blank"}.
157
210
1. For the user, select the SSO provider from the SSO list.