SAML single sign-on
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Users are able to sign in to multiple software applications using the same login details with SAML.
CloudBees Rollout uses the SAML 2.0 protocol to implement single sign-on.
CloudBees Rollout IdP support
CloudBees Rollout SAML supports the following IdP’s:
In order to enable SAML, you need to be an application Admin (to see your team admins go to Account > Team Managment, look at the permissions column). At the top of the Account > Team Managment screen, there is a SAML action button and once activated, you will be prompt to enter:
Team Login Prefix
SAML Strict Mode
This is the team entry point using SAML.
When SAML is on, in order to login to the CloudBees Rollout dashboard, the link is:
This will also be part of the callback from the used IdP (ACS URL, which should be set on the IdP side):
To disable SAML for the application, goto Account > Team Managment as an admin user and click on the SAML button.
SAML and CloudBees Rollout Permissions
Even when using SAML, a user must be first invited to the CloudBees Rollout platform. In the case where SAML is disabled, users would still be able to log in to CloudBees Rollout using their email and password.
How SAML with CloudBees Rollout works
CloudBees Rollout SAML authentication is SP initiated. CloudBees Rollout integrates with an IDP provider by linking a CloudBees Rollout user with an IDP user. The link is done using the SAML’s NameIdFormat which is required. The Active Directory default setting usually does not include NameIdFormat and has to be added manually.
This link between a CloudBees Rollout user and the IDP user is created only by a CloudBees Rollout user invitation email or forgot password email.
Users that were invited to CloudBees Rollout before SAML configurations were set by an admin will have to click "forgot password" and follow it by clicking the link in the email. This will create the link and allow SAML. This includes the admin user that set the SAML.
Users that were invited after SAML configurations were set (by an admin), will need to click the link in the invitation email.
Additional examples that require the "forgot password" link: