|
| 1 | +--- |
| 2 | +title:"OpenID Connect" |
| 3 | +description:"Setting Up OpenID Connect Federated Single Sign-On (SSO)" |
| 4 | +group:single-sign-on |
| 5 | +toc:true |
| 6 | +--- |
| 7 | + |
| 8 | +Codefresh natively supports login using GitHub, Bitbucket and GitLab using the OpenID Connect (OAUTH 2.0) protocol. This guide will review how to add SSO integrations based on OAUTH 2.0 as part of Codefresh Enterprise plan. |
| 9 | + |
| 10 | +##Prerequisites |
| 11 | + |
| 12 | +In order to add successfully an identity Provider in Codefresh you need to do some preparatory work with both Codefresh and the provider. |
| 13 | + |
| 14 | +1. You need to inform your Identify provider that it will provide SSO services to Codefresh |
| 15 | +1. You need to set up Codefresh and point it to your Identity Provider. |
| 16 | + |
| 17 | +The first procedure differs according to you Identity Provider, but the second one is common for all providers. |
| 18 | + |
| 19 | +Note that SSO is only available to Enterprise customers. Please[contact sales](https://codefresh.io/contact-sales/) in order to enable it for your Codefresh account. |
| 20 | + |
| 21 | +##Identity Provider options |
| 22 | + |
| 23 | +Codefresh currently supports |
| 24 | + |
| 25 | +* Auth0 |
| 26 | +* Azure |
| 27 | +* Google |
| 28 | +* Okta |
| 29 | +* OneLogin |
| 30 | + |
| 31 | +To access the SSO configuration at the account level. |
| 32 | + |
| 33 | +1. Click on your avatar at the top right of the GUI and select*Account settings*. |
| 34 | +1. In the new screen, select*Single Sign-on* from the left sidebar. |
| 35 | + |
| 36 | +{% include image.html |
| 37 | +lightbox="true" |
| 38 | +file="/images/administration/sso/add-sso-dropdown.png" |
| 39 | +url="/images/administration/sso/add-sso-dropdown.png" |
| 40 | +alt="SSO provider settings" |
| 41 | +caption="SSO provider settings" |
| 42 | +max-width="70%" |
| 43 | +%} |
| 44 | + |
| 45 | +{:start="3"} |
| 46 | +1. To connect an Identity Provider, click the*add single-sign-on* button and select your provider from the drop-down menu. |
| 47 | + |
| 48 | +##Codefresh SSO setup |
| 49 | + |
| 50 | +Regardless of the Identity Provider that you have chosen, the setup in Codefresh is similar for all of them. You need to provide several fields to Codefresh to activate SSO. The common ones are: |
| 51 | + |
| 52 | +**Display Name* - A name for your Identity Provider |
| 53 | +**Client ID* - An ID that will be used for the connection |
| 54 | +**Client Secret* - A secret associated with the ID |
| 55 | + |
| 56 | +Some providers also need additional fields which are specific to that provider. |
| 57 | + |
| 58 | +The process to obtain the values for these fields depends on the individual Identity Provider. In the following |
| 59 | +sections we will outline the details for each one. |
| 60 | + |
| 61 | +###Setting Auth0 as an Identity provider |
| 62 | + |
| 63 | +See the[Auth0 instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-auth0/). |
| 64 | + |
| 65 | +###Setting Azure as an Identity provider |
| 66 | + |
| 67 | +See the[Azure instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-azure/). |
| 68 | + |
| 69 | +###Setting Google as an Identity provider |
| 70 | + |
| 71 | +See the[Google instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-google/). |
| 72 | + |
| 73 | +###Setting Okta as an Identity Provider |
| 74 | + |
| 75 | +See the[Okta instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-okta/). |
| 76 | + |
| 77 | +###Setting OneLogin as an Identity Provider |
| 78 | + |
| 79 | +See the[OneLogin instructions]({{site.baseurl}}/docs/single-sign-on/oidc/oidc-onelogin/). |
| 80 | + |
| 81 | +##Testing your Identity provider |
| 82 | + |
| 83 | +Once you set up the Identity Provider, do the following |
| 84 | + |
| 85 | +1. Go to the collaborators screen by clicking on*People* on the left sidebar (under User Management). |
| 86 | +1. Add an active user that will be used for testing. We recommend you use your own user. |
| 87 | +1. Change Login method by selecting your Auth provider from the SSO drop-down. |
| 88 | + |
| 89 | + {% include image.html |
| 90 | + lightbox="true" |
| 91 | + file="/images/administration/sso/collaborators.png" |
| 92 | + url="/images/administration/sso/collaborators.png" |
| 93 | + alt="Adding collaborators" |
| 94 | + caption="Adding collaborators" |
| 95 | + max-width="70%" |
| 96 | + %} |
| 97 | + |
| 98 | +1. Keep the current browser session open, and log in via Corporate SSO in an incognito tab (or another browser). |
| 99 | + |
| 100 | + {% include image.html |
| 101 | + lightbox="true" |
| 102 | + file="/images/administration/sso/sign-with-sso.png" |
| 103 | + url="/images/administration/sso/sign-with-sso.png" |
| 104 | + alt="Sign-in with SSO" |
| 105 | + caption="Sign-in with SSO" |
| 106 | + max-width="50%" |
| 107 | + %} |
| 108 | + |
| 109 | +1. If everything works, add more users. |
| 110 | + |
| 111 | +>Before enabling SSO for all users, you**MUST** make sure that it is working for the test user, because if SSO is enabled for a user, Codefresh blocks logins through other IDPs for this user and only the enabled SSO is allowed. If the selected SSO method does not work for some reason, users will be locked out of Codefresh. |
| 112 | +
|
| 113 | +##Selecting SSO method for collaborators |
| 114 | + |
| 115 | +To add users and select their SSO method, go to*Collaborators* from the left sidebar. Then add the email or Codefresh username of a user. |
| 116 | + |
| 117 | +In addition to their role you can now select the SSO method they will use |
| 118 | + |
| 119 | +{% include image.html |
| 120 | +lightbox="true" |
| 121 | +file="/images/administration/sso/select-user-sso.png" |
| 122 | +url="/images/administration/sso/select-user-sso.png" |
| 123 | +alt="Selecting SSO method" |
| 124 | +caption="Selecting SSO method" |
| 125 | +max-width="50%" |
| 126 | +%} |
| 127 | + |
| 128 | +**SSO login for new and existing users** |
| 129 | +If you have multiple SSO providers configured, you can select a different provider for each user if so required. |
| 130 | + |
| 131 | +* New users |
| 132 | + If you have an SSO provider selected as the default, that provider is automatically assigned to new users, added either manually or via team synchronization. |
| 133 | + |
| 134 | +* Existing users |
| 135 | + SSO login is not configured by default for existing users. You must_explicitly select_ the SSO provider for existing users. |
| 136 | + If SSO login is already configured for an existing user, and you add a new identity provider, to change the SSO login to the new provider, you must_select_ the new provider for the user. |
| 137 | + |
| 138 | + |
| 139 | +##Setting a default provider |
| 140 | + |
| 141 | +If you have multiple SSO providers set you can hover your mouse on the top right of the SSO screen |
| 142 | +and setup one of them as the default provider. |
| 143 | + |
| 144 | +{% include image.html |
| 145 | +lightbox="true" |
| 146 | +file="/images/administration/sso/default-sso.png" |
| 147 | +url="/images/administration/sso/default-sso.png" |
| 148 | +alt="Default SSO provider" |
| 149 | +caption="Default SSO provider" |
| 150 | +max-width="90%" |
| 151 | +%} |
| 152 | + |
| 153 | +If a default sso provider is set then: |
| 154 | + |
| 155 | +1. This SSO method will be automatically assigned to all new invited users |
| 156 | +1. All new users will receive an email with an invite link that points them directly to the login page of that SSO provider |
| 157 | + |
| 158 | +##Syncing of teams after initial SSO setup |
| 159 | + |
| 160 | +Once the initial setup is done, you can also sync your teams between Codefresh and the Identity provider. |
| 161 | +You can do this via the[Codefresh Cli](https://codefresh-io.github.io/cli/) and specifically the[sync command](https://codefresh-io.github.io/cli/teams/synchronize-teams/). |
| 162 | + |
| 163 | +For example, to sync you azure teams you can execute |
| 164 | + |
| 165 | +```bash |
| 166 | +codefresh synchronize teams my-client-name -t azure |
| 167 | +``` |
| 168 | + |
| 169 | +You can find the client-name from the SSO UI. |
| 170 | + |
| 171 | +{% include image.html |
| 172 | +lightbox="true" |
| 173 | +file="/images/administration/sso/azure/client-name.png" |
| 174 | +url="/images/administration/sso/azure/client-name.png" |
| 175 | +alt="SSO Client Name" |
| 176 | +caption="SSO Client Name" |
| 177 | +max-width="40%" |
| 178 | +%} |
| 179 | + |
| 180 | +Even though you can run this command manually it makes more sense to run it periodically as a job. And the obvious |
| 181 | +way to perform this, is with a Codefresh pipeline. The CLI can be used as a[freestyle step]({{site.baseurl}}/docs/codefresh-yaml/steps/freestyle/). |
| 182 | + |
| 183 | +You can create a git repository with a[codefresh.yml]({{site.baseurl}}/docs/codefresh-yaml/what-is-the-codefresh-yaml/) file with the following contents: |
| 184 | + |
| 185 | +`YAML` |
| 186 | +{% highlight yaml %} |
| 187 | +{% raw %} |
| 188 | +version: '1.0' |
| 189 | +steps: |
| 190 | + syncMyTeams: |
| 191 | + title: syncTeams |
| 192 | + image: codefresh/cli |
| 193 | + commands: |
| 194 | + - 'codefresh synchronize teams my-client-name -t azure' |
| 195 | +{% endraw %} |
| 196 | +{% endhighlight %} |
| 197 | + |
| 198 | +To fully automate this pipeline you should set a[cron trigger]({{site.baseurl}}/docs/configure-ci-cd-pipeline/triggers/cron-triggers/) for this pipeline. The cron-trigger will be responsible for running this pipeline (and therefore synchronizing the teams) in a fully automated manner. |
| 199 | + |
| 200 | +This way you can synchronize your teams every day/week/hour depending on you cron trigger setup. |