Skip to main content

SSO Group Sync

The platform can be configured to allow user authentication via Single-Sign-On (SSO). SSO is an authentication method that enables users to access multiple applications with a single set of login credentials. This feature allows users with a valid account on another service (e.g., GitHub) to authenticate and log into the platform using that service. While this approach simplifies user management for administrators, a mechanism is still needed to ensure appropriate permissions are applied to these users. SSO groups address this need.

Most SSO providers allow administrators to configure data shared with authenticating platforms. Among this shared data, the list of groups to which the authenticating user belongs is particularly important. Upon SSO authentication in the platform, this group data is inspected. The user is automatically joined to any Teams that include any of the provided group names in the SSO Groups as Members field. Any SSO group names not set in any Team's SSO Groups as Members field is going to be dynamically created as a new Team, with the group name automatically set in the SSO Groups as Members field.

This group behavior allows administrators to create Teams in the platform that correspond to teams (groups) in the SSO identity provider, set the appropriate policy for those Teams, and enable users to be automatically assigned to the appropriate team, and thus privileges, upon logging in via SSO.

info

If a user belongs to multiple SSO groups that correspond to different Teams in the platform, they are going to be added to all matching Teams.

Creating a team with SSO group membership​

  1. Select the Users field on the left menu bar.

  2. Click the Teams button on the User Management screen.

  3. Click the button.

  4. In the drawer that appears from the right, give your new team a name by replacing the 'my-team' placeholder name, or by updating the manifest YAML 'metadata.name' field.

  5. In the Team Members tab enter any desired groups into the SSO Groups as Members field. You can add as many groups as you would like here. These group names must exactly match the group name that the SSO provider shares with the platform during SSO authentication.

  6. Make any additional desired modifications to your new Team.

  7. Click on the button.