Understanding authentication in CloudBees Unify

3 minute read

CloudBees Unify supports multiple authentication methods that serve different organizational needs and security requirements. Understanding these authentication options is essential for choosing the right approach for your organization’s identity management strategy. This page explains the available authentication methods, when to use each approach, and how they integrate with your security architecture.

CloudBees Unify provides authentication methods in two categories: basic authentication for individual user accounts and enterprise authentication for organizational identity integration.

  • Basic authentication methods:

    • CloudBees credentials: Platform-native username and password accounts managed directly within CloudBees Unify.

    • GitHub OAuth: Delegated authentication using existing GitHub accounts and credentials.

    • Google social authentication: Delegated authentication using existing Google accounts and credentials.

  • Enterprise authentication methods:

    • SAML single sign-on (SSO): Enterprise identity federation using Security Assertion Markup Language standards.

    • OpenID Connect (OIDC): Modern identity protocol for cloud-native authentication and authorization workflows.

Authentication method selection operates at both organizational and individual levels. Organizations can configure enterprise authentication methods and policies that affect which methods are available and how they work. Within that framework, individual users choose their authentication method when creating their account, and must continue using that same method for all future sign-ins.

Organizations can enable enterprise authentication (SAML or OIDC) for specific domains, configure auto-provisioning for users from verified domains, or use strict mode to require all users to authenticate through the enterprise system. These organizational settings can coexist with individual user authentication choices, allowing mixed authentication methods within the same tenant.

The choice between these methods involves trade-offs between security control, administrative overhead, user convenience, and integration complexity. Understanding these trade-offs helps administrators select the most appropriate authentication strategy for their organization.

Basic authentication methods

Basic authentication methods serve individual user accounts with different trade-offs between security control and user convenience.

CloudBees credentials provide direct platform control over authentication policies, including multifactor authentication, password requirements, and account recovery. However, users must manage an additional set of credentials specifically for CloudBees Unify.

Social authentication (GitHub OAuth and Google) delegates identity management to external providers, reducing password management burden but limiting organizational control over security policies. Organizations depend on the external provider’s security practices and availability.

Enterprise authentication methods

Enterprise authentication methods integrate CloudBees Unify with existing organizational identity systems for centralized user management and single sign-on.

SAML works best for traditional enterprise environments with centralized identity systems like Active Directory or Okta. It requires domain verification to establish trust relationships and supports auto-provisioning for verified domain users.

OIDC excels in cloud-native environments and automated workflows. It uses JWT tokens that can carry contextual information like repository or environment details, enabling CloudBees Unify workflows to authenticate directly to cloud services without storing credentials.

Choose SAML for traditional enterprise identity systems and human users. Choose OIDC for cloud-first environments with extensive automation needs.

Authentication and platform security

Authentication method selection affects how user management integrates with role-based access control (RBAC) and organizational security policies.

Manual user management: Basic authentication methods (CloudBees credentials, social auth) require administrators to explicitly assign users to teams and roles.

Automated user management: Enterprise authentication can leverage identity provider information to automatically assign roles based on group membership and support auto-provisioning for verified domain users.

Strict mode: Disables user invitations, requiring all users to authenticate through the configured enterprise system.

Organizations often start with basic authentication for simplicity, then migrate to enterprise methods as security requirements mature.