SAML single sign-on

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Users are able to sign in to multiple software applications using the same login details with SAML.

CloudBees Feature Flags uses the SAML 2.0 protocol to implement single sign-on.

CloudBees Feature Flags IdP support

CloudBees Feature Flags SAML supports the following IdP’s:

  • Onelogin

  • Okta

  • Active Directory Federation Services (ADFS)

Configuring SAML

  • In order to enable SAML, you need to be an application Admin (to see your team admins go to Account > Team Managment, look at the permissions column). At the top of the Account > Team Managment screen, there is a SAML action button and once activated, you will be prompt to enter:

    • Team Login Prefix

    • IdP metadata

    • SAML Strict Mode

Team Login Prefix

This is the team entry point using SAML.

  • When SAML is on, in order to login to the CloudBees Feature Flags dashboard, the link is: https://app.rollout.io/login/<team-login-prefix>

  • This will also be part of the callback from the used IdP (ACS URL, which should be set on the IdP side): https://app.rollout.io/login/<team-login-prefix>/callback.

IdP metadata

Metadata obtained from the IdP.

SAML Strict Mode

All non-admin users must use SAML to log in to CloudBees Feature Flags. Any existing CloudBees Feature Flags username/password, or alternatives such as Google OAuth, will not be valid. Note that Admins retain access to alternatives in case you need to fix issues with SAML.

Disable SAML

To disable SAML for the application, goto Account > Team Managment as an admin user and click on the SAML button.

SAML and CloudBees Feature Flags Permissions

Even when using SAML, a user must be first invited to the CloudBees Feature Flags platform. In the case where SAML is disabled, users would still be able to log in to CloudBees Feature Flags using their email and password.

How SAML with CloudBees Feature Flags works

CloudBees Feature Flags SAML authentication is SP initiated. CloudBees Feature Flags integrates with an IDP provider by linking a CloudBees Feature Flags user with an IDP user. The link is done using the SAML’s NameIdFormat which is required. The Active Directory default setting usually does not include NameIdFormat and has to be added manually.

This link between a CloudBees Feature Flags user and the IDP user is created only by a CloudBees Feature Flags user invitation email or forgot password email.

Users that were invited to CloudBees Feature Flags before SAML configurations were set by an admin will have to click "forgot password" and follow it by clicking the link in the email. This will create the link and allow SAML. This includes the admin user that set the SAML.

Users that were invited after SAML configurations were set (by an admin), will need to click the link in the invitation email.

Additional examples that require the "forgot password" link:

  • NameIdFormat value was changed (value for a specific user, only this user will have to reset the link)

  • NameIdFormat field was switched on the IDP side (each user will have to reset the link)

  • Switching IDPs (each user)