Configure SAML single sign-on

3 minute read

Set up, configure, and manage SAML single sign-on (SSO) for centralized authentication with your identity provider. Before you begin, ensure you have Admin permissions in CloudBees Unify and access to your organization’s identity provider (IdP) configuration.

Each verified domain can only accommodate a single SAML connection with a given IdP. To create multiple SAML connections, you must use either multiple domains or multiple IdPs.

To configure SAML SSO, navigate to Admin settings > Authentication. Use Domains for domain verification, Connections for SAML configuration.

Add and verify a domain

  1. Select Create SAML and enter your domain name.

  2. Create a DNS TXT record using the provided verification code.

  3. Select Verify once DNS changes propagate.

The domain status changes to Verified when successful.

DNS propagation may take time. Check progress at dnschecker.org.

Configure SAML connection

After verifying your domain, configure the SAML connection:

  1. Select Vertical ellipsis next to your domain, then select Link connection.

  2. Select an existing connection from the options, or select Create new to create a new one.

    If you select an existing SSO connection, you overwrite all existing XML information.
  3. Enter a Connection name.

  4. Locate the metadata XML from your IdP.

  5. Enter your IdP metadata using XML file upload, direct XML paste, or manual Entity ID/URL/certificate entry.

  6. Select NEXT.

    CloudBees Unify generates the XML information.

  7. Perform one of the following:

    • Select Download XML to download the generated XML file to add to your IdP.

    • Copy the generated XML information and paste it into your IdP.

      Refer to instructions specific to your IdP for more information.

Verify configuration requirements

Confirm your SAML configuration meets these security requirements:

  • Your IdP uses HTTP POST binding.

  • Your IdP signs SAML responses using a private key that matches the signing certificate provided to CloudBees Unify.

  • Your IdP encrypts SAML responses via the RSA-OAEP algorithm, using the public certificate provided by CloudBees Unify.

  • Your SAML responses have the Destination attribute in the <samlp:Response> opening tag.

  • Your SAML responses include valid values for both firstName and lastName attributes.

  • Your IdP sets the NameID attribute format as Email Address (not Unspecified).

If your organization or IdP settings don’t allow configuration according to these requirements, contact CloudBees Support for assistance with a custom configuration.

Enable SAML connection

After configuration, enable and manage your SAML connection:

  1. Set the Enabled toggle to On (Toggle on).

  2. Optionally configure additional settings:

    • Strict mode: Set to On to disable user invitations, requiring all users to sign in via SAML.

    • Auto-provisioned: Set to On to automatically add new users with approved domain emails to your tenant.

Enabled must be set to On for SAML to function. To use Strict mode or Auto-provisioned, Enabled must also be On.

Enable Okta SSO integration (optional)

To enable SSO through Okta by connecting your SAML configuration to the Okta tile application:

  1. Complete the SAML setup process above.

  2. Select Vertical ellipsis, then select View on your SAML connection to open the summary page.

  3. Copy the Service provider assertion consumer service URL.

  4. Follow Okta’s documentation for creating a custom app integration: Create SAML custom app integrations.

  5. When configuring the app in Okta, paste the copied URL into the Single sign-on URL field.

  6. Complete the setup in Okta.

You may notice a brief authentication redirect (about half a second) during sign in. This is expected behavior when Okta SSO is enabled.

Manage SAML configuration

Use the ellipsis menu next to any connection to edit or remove it.

Removing a SAML connection is irreversible.