SAML single sign-on

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Users are able to sign in to multiple software applications using the same login details with SAML.

CloudBees Feature Flags uses the SAML 2.0 protocol to implement single sign-on.

CloudBees Feature Flags IdP support

CloudBees Feature Flags SAML supports the following IdP’s:

  • Onelogin

  • Okta

  • Active Directory Federation Services (ADFS)

Configuring SAML for teams

  • To enable SAML for teams, you need to be an application Admin (to see your team admins go to Account > Team Managment and look at the permissions column). At the top of the Account > Team Managment screen, there is a SAML action button and once activated, you will be prompt to enter:

    • Team Login Prefix

    • IdP metadata

    • SAML Strict Mode

Team Login Prefix

This is the team entry point using SAML.

  • When SAML is on, in order to login to the CloudBees Feature Flags dashboard, the link is: https://app.rollout.io/login/<team-login-prefix>

  • This will also be part of the callback from the used IdP (ACS URL, which should be set on the IdP side): https://app.rollout.io/login/<team-login-prefix>/callback.

IdP metadata

Metadata obtained from the IdP.

SAML Strict Mode

All non-admin users must use SAML to log in to CloudBees Feature Flags. Any existing CloudBees Feature Flags username/password, or alternatives such as Google OAuth, will not be valid. Note that Admins retain access to alternatives in case you need to fix issues with SAML.

Inviting new team members using SAML

If you have SAML Strict Mode enabled, invited users will receive a new invitation email that bypasses the CloudBees login page and sets up the SAML connection.

SAML email invitation

Once users complete the invitation procedure, they can verify their SAML connection is working by going to their Account page and checking the SAML Status section has a Connected state.

SAML status connected

If the invited user did not receive their invitation, or the SAML IdP metadata has changed, administrative users can re-invite users with the Resend SAML Invite button next to the user’s email under Team Management. This is useful especially if you have SAML Strict Mode enabled.

SAML invitation

If SAML Strict Mode is not enabled, users must create a username and password and will not be directed to login via SAML. Users can then enable SAML support at any time by going to their Account page and clicking Connect SAML.

Enable SAML for existing users

To configure SAML for individual users within a team that has it enabled, the user must perform the following steps:

  1. Under User > Account, they will see a SAML Status box.

  2. Instruct the user to click on Connect SAML to establish the SAML link. When they click Connect SAML, Connect to your IdP appears.

    Connect to your IdP modal
  3. When the user clicks OK they will receive an email confirmation to reset their password.

  4. The user then proceeds to their email inbox and follows the password reset instructions to complete the SAML connection.

  5. After the user clicks Reset password in their email and completes the password reset, the SAML Status should now show Connected.

    SAML status connected

If the user has changed IdP or some other aspect of their account, they can click on Reconnect SAML to set up a new SAML connection which repeats the same password renewal process.

Disable SAML

To disable SAML for the application, go to Account > Team Managment as an admin user and click on the SAML button.

SAML and CloudBees Feature Flags Permissions

Even when using SAML, a user must be first invited to the CloudBees Feature Flags platform. In the case where SAML is disabled, users would still be able to log in to CloudBees Feature Flags using their email and password.

How SAML with CloudBees Feature Flags works

CloudBees Feature Flags SAML authentication is SP initiated. CloudBees Feature Flags integrates with an IDP provider by linking a CloudBees Feature Flags user with an IDP user. The link is done using the SAML’s NameIdFormat which is required. The Active Directory default setting usually does not include NameIdFormat and has to be added manually.

This link between a CloudBees Feature Flags user and the IDP user is created using the following methods:

  • CloudBees Feature Flags user invitation email

  • From the User > Account page, click Connect SAML (or Reconnect SAML) from SAML Status

Users that were invited after SAML configurations were set (by an admin), will need to click the link in the invitation email.

Additional examples that require resetting SAML include:

  • NameIdFormat value was changed (value for a specific user, only this user will have to reset the link)

  • NameIdFormat field was switched on the IDP side (each user will have to reset the link).

  • Switching IDPs (each user).

  • Clicking the Connect SAML (or Reconnect SAML) from SAML Status on the User > Account page.