SAML single sign-on
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Users are able to sign in to multiple software applications using the same login details with SAML.
CloudBees Feature Flags uses the SAML 2.0 protocol to implement single sign-on.
CloudBees Feature Flags IdP support
CloudBees Feature Flags SAML supports the following IdP’s:
In order to enable SAML, you need to be an application Admin (to see your team admins go to Account > Team Managment, look at the permissions column). At the top of the Account > Team Managment screen, there is a SAML action button and once activated, you will be prompt to enter:
Team Login Prefix
SAML Strict Mode
This is the team entry point using SAML.
When SAML is on, in order to login to the CloudBees Feature Flags dashboard, the link is:
This will also be part of the callback from the used IdP (ACS URL, which should be set on the IdP side):
To disable SAML for the application, goto Account > Team Managment as an admin user and click on the SAML button.
SAML and CloudBees Feature Flags Permissions
Even when using SAML, a user must be first invited to the CloudBees Feature Flags platform. In the case where SAML is disabled, users would still be able to log in to CloudBees Feature Flags using their email and password.
How SAML with CloudBees Feature Flags works
CloudBees Feature Flags SAML authentication is SP initiated. CloudBees Feature Flags integrates with an IDP provider by linking a CloudBees Feature Flags user with an IDP user. The link is done using the SAML’s NameIdFormat which is required. The Active Directory default setting usually does not include NameIdFormat and has to be added manually.
This link between a CloudBees Feature Flags user and the IDP user is created only by a CloudBees Feature Flags user invitation email or forgot password email.
Users that were invited to CloudBees Feature Flags before SAML configurations were set by an admin will have to click "forgot password" and follow it by clicking the link in the email. This will create the link and allow SAML. This includes the admin user that set the SAML.
Users that were invited after SAML configurations were set (by an admin), will need to click the link in the invitation email.
Additional examples that require the "forgot password" link: