Set up, configure, and manage SAML single sign-on (SSO) for centralized authentication with your identity provider. Before you begin, ensure you have Admin permissions in CloudBees Unify and access to your organization’s identity provider (IdP) configuration.
| Each verified domain can only accommodate a single SAML connection with a given IdP. To create multiple SAML connections, you must use either multiple domains or multiple IdPs. |
To configure SAML SSO, navigate to Admin settings > Authentication. Use Domains for domain verification, Connections for SAML configuration.
Add and verify a domain
-
Select Create SAML and enter your domain name.
-
Create a DNS TXT record using the provided verification code.
-
Select Verify once DNS changes propagate.
The domain status changes to Verified when successful.
| DNS propagation may take time. Check progress at dnschecker.org. |
Configure SAML connection
After verifying your domain, configure the SAML connection:
-
Select
next to your domain, then select Link connection. -
Select an existing connection from the options, or select Create new to create a new one.
If you select an existing SSO connection, you overwrite all existing XML information. -
Enter a Connection name.
-
Locate the metadata XML from your IdP.
-
Enter your IdP metadata using XML file upload, direct XML paste, or manual Entity ID/URL/certificate entry.
-
Select NEXT.
CloudBees Unify generates the XML information.
-
Perform one of the following:
-
Select Download XML to download the generated XML file to add to your IdP.
-
Copy the generated XML information and paste it into your IdP.
Refer to instructions specific to your IdP for more information.
-
Verify configuration requirements
Confirm your SAML configuration meets these security requirements:
-
Your IdP uses HTTP POST binding.
-
Your IdP signs SAML responses using a private key that matches the signing certificate provided to CloudBees Unify.
-
Your IdP encrypts SAML responses via the RSA-OAEP algorithm, using the public certificate provided by CloudBees Unify.
-
Your SAML responses have the
Destinationattribute in the<samlp:Response>opening tag. -
Your SAML responses include valid values for both
firstNameandlastNameattributes. -
Your IdP sets the NameID attribute format as
Email Address(notUnspecified).
| If your organization or IdP settings don’t allow configuration according to these requirements, contact CloudBees Support for assistance with a custom configuration. |
Enable SAML connection
After configuration, enable and manage your SAML connection:
-
Set the Enabled toggle to On (
). -
Optionally configure additional settings:
-
Strict mode: Set to On to disable user invitations, requiring all users to sign in via SAML.
-
Auto-provisioned: Set to On to automatically add new users with approved domain emails to your tenant.
-
| Enabled must be set to On for SAML to function. To use Strict mode or Auto-provisioned, Enabled must also be On. |
Enable Okta SSO integration (optional)
To enable SSO through Okta by connecting your SAML configuration to the Okta tile application:
-
Complete the SAML setup process above.
-
Select
, then select View on your SAML connection to open the summary page. -
Copy the Service provider assertion consumer service URL.
-
Follow Okta’s documentation for creating a custom app integration: Create SAML custom app integrations.
-
When configuring the app in Okta, paste the copied URL into the Single sign-on URL field.
-
Complete the setup in Okta.
| You may notice a brief authentication redirect (about half a second) during sign in. This is expected behavior when Okta SSO is enabled. |