You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
<codefresh_client_name> is generated by Codefresh when you configure SSO settings.
For now, use a temp value such as `https://g.codefresh.io/api/auth/temp/callback`.
where:
`<codefresh_client_name>` is generated by Codefresh when you configure SSO settings.
For now, use a temp value such as `https://g.codefresh.io/api/auth/temp/callback`.
* Select **Save**.
{% include image.html
{% include image.html
lightbox="true"
file="/images/sso/okta/image4.png"
url="/images/sso/okta/image4.png"
Expand All
@@ -88,44 +89,51 @@ Set up OIDC SSO for Okta in Codefresh by:
max-width="70%"
%}
{:start="7"}
1. Continue with [Step 2: Configure OIDC SSO settings for Okta in Codefresh](#step-2-configure-oidc-sso-settings-for-okta-in-codefresh).
## Step 2: Configure OIDC SSO settings for Okta in Codefresh
To configure OIDC SSO settings for Okta in Codefresh, you need the Client ID, Client Secret, Access token, and the Codefresh application ID as defined in Okta.
**Before you begin**
Copy the values from the following screens in Okta:
### Before you begin
1. Copy the values from the following screens in Okta:
* Client ID and Client secret
* The API token generated in OKTA from Security tab > API
* Application ID assigned to the Codefresh application in Okta
{% include image.html
lightbox="true"
file="/images/sso/okta/image7.png"
url="/images/sso/okta/image7.png"
alt="Client ID and secret"
caption="Client ID and secret"
max-width="70%"
alt="Client ID andClientsecret"
caption="Client ID andClientsecret"
max-width="60%"
%}
The API token generated in OKTA from Security tab >API.
{% include image.html
lightbox="true"
file="/images/sso/okta/image2.png"
url="/images/sso/okta/image2.png"
alt="API token in Okta to use as Access token"
caption="API token in Okta to use as Access token"
max-width="70%"
max-width="60%"
%}
This Application ID assigned to the Codefresh application in Okta.
{% include image.html
lightbox="true"
file="/images/sso/okta/image3.png"
url="/images/sso/okta/image3.png"
alt="App ID"
caption="App ID"
max-width="70%"
alt="Application ID"
caption="Application ID"
max-width="60%"
%}
**How to**
{:start="2"}
1. The names of the accounts to sync to Codefresh through this integration. Verify that you have administrator access to each of the accounts.
### How to
1. In the Codefresh UI, from the toolbar click the **Settings** icon.
1. In the sidebar, from Access & Collaboration, select [Single Sign-On](https://g.codefresh.io/2.0/account-settings/single-sign-on){:target="\_blank"}.
Expand All
@@ -150,7 +158,10 @@ max-width="30%"
* **Client Host**: The OKTA organization URL, for example, `https://<company>.okta.com`.
Do not copy the URL from the admin view (e.g. `https://<company>-admin.okta.com`), as it will not work.
* **Application ID**: The Codefresh application ID in your OKTA organization, that will be used to sync groups and user from OKTA to Codefresh.
1. Optional. To automatically sync teams or groups in Okta to Codefresh, select **Auto group sync**.
* **Additional accounts to sync**: Optional. The names of the additional Codefresh accounts to be synced from Okta.
Codefresh validates if the user has both access to and administrator privileges for the selected accounts.
See [How Okta syncing works](#how-okta-syncing-works) for team/group sync options with Okta.
1. Optional. To automatically sync teams or groups in Okta to Codefresh via the UI, including additional Codefresh accounts selected if any, select **Auto-group sync**.
This action syncs groups every 12 hours.
> Though you can assign an Okta application to both groups and individual users, Codefresh _only syncs users who are part of teams_.
New users in Okta, _not_ assigned to a team, are **NOT** synced with Codefresh. You should first assign the user to a team for the sync to work.
Expand All
@@ -164,7 +175,7 @@ max-width="30%"
url="/images/sso/okta/image6.png"
alt="Client name"
caption="Client name"
max-width="70%"
max-width="50%"
%}
{:start="6"}
Expand All
@@ -178,26 +189,21 @@ max-width="30%"
You have now completed SSO setup for Okta.
## How Okta syncing works
[Syncing with Okta]({{site.baseurl}}/docs/single-sign-on/team-sync/)
only affects teams/groups, and not individual users.
## CLI/UI-based team/group sync for Okta
Syncing with Okta _only affects teams/groups_, and not individual users.
After initial SSO setup, you can activate automatic syncing of teams for the integration account or for both the integration and additional accounts via the CLI and the UI.
* CLI
You can select multiple Codefresh accounts to sync through the **Additional accounts to sync** option in the UI, and then either create a Codefresh pipeline with the CLI command or run the CLI command when required.
The pipeline should run the CLI command `codefresh synchronize teams my-okta-client-name -t okta`.
See [Syncing teams in IdPs with Codefresh]({{site.baseurl}}//docs/single-sign-on/team-sync/#syncing-teams-in-idps-with-codefresh).
### Sync teams after initial SSO setup
There are two ways to set up automatic syncing of teams:
* Pipeline running a CLI command: Create a Codefresh pipeline the runs the CLI command `codefresh synchronize teams my-okta-client-name -t okta` as explained in the [pipeline sync page]({{site.baseurl}}/docs/single-sign-on/team-sync).
* Turn on the auto-sync toggle as part of the SSO configuration settings.:
Select the Codefresh accounts to sync to through the **Additional accounts to sync** option in the UI, and turn on **Auto-group sync** in the SSO configuration settings.
## Related articles
[Federated Single Sign-On (SSO) overview]({{site.baseurl}}/docs/single-sign-on/single-sign-on/)
[Common configuration for SSO providers]({{site.baseurl}}/docs/single-sign-on/team-sync)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
@@ -18,8 +18,16 @@ In Codefresh you can sync users and teams either automatically or manually:
* Automatically, in the Codefresh UI if the option is supported for your SSO provider
* Manually, either on-demand through the Codefresh CLI, or through a Codefresh pipeline
<!---
### Multi-account team-sync in Codefresh for SSO providers
SSO providers can sync users from multiple accounts, in addition to the primary account associated with the specific SSO integration.
This functionality benfits enterprises that manage multiple accounts for a single customer, as it streamlines the sync process through a single operation.
If a customer has dev and prod accounts in Codefresh, they can set up an SSO integration for one of the accounts, and then specificy the ID of the second account to sync.
Codefresh validates if the user has access to the accounts specified, and during team-sync retrieives the accounts and invites users in teams/groups for those accounts.
-->
### Team-sync support in Codefresh for SSO providers
The table lists the SSO providers supported in Codefresh and the team-sync option available for them.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
