Configure SAML SSO
Single Sign-On (or SSO) allows you to manage your organization’s entire membership via a third-party provider.
GitGuardian supports the SAML2 standard for SSO which allows the Owner or any Manager, of the workspace to configure any SAML2-enabled Identity Provider (IdP) system (Google, Okta,...).
Set up SSO
To configure your SSO, navigate to Settings > Authentication.
Detailed set up procedures are available for the following IdP:
For all other SAML2-enabled IdP, you can follow the generic procedure.
Just-In-Time (JIT) provisioning
GitGuardian supports Just-In-Time (JIT) provisioning. New members of your workspace are automatically registered with GitGuardian on their first login attempt with SAML2 SSO if they are authorized on the IdP side.
You don't need to invite users manually. You just need to authorize them on the IdP's side by being part of the "GitGuardian group". Users who are not part of the GitGuardian group on the IdP side will be rejected during their attempt to sign in via SSO.
GitGuardian does not support JIT deprovisioning yet but you can use the SCIM to automatically deprovision your users.
Default access level
Because GitGuardian uses Just-In-Time (JIT) provisioning, new members will be given a default access level upon their first login.
"Member" is the default setting. You can modify this default in your Authentication settings page.
If you selected "Member" as the default access level and your workspace is under the Business plan, you must also configure whether new Members will be part of the "All-incidents" team or not upon sign up. This option is available in Business plan.
Force SSO
Once you have successfully set up an SAML2 SSO integration, in your Authentication settings page, you have the option to force the SSO:
- If the option is turned ON, all the members of your workspace will have to go through your IdP in order to be able to access your GitGuardian workspace. Thus, only the users you have authorized on your IdP’s side will be able to sign into your GitGuardian workspace. If you want to activate the option, you will have the possibility to visualize the users that may encounter an issue.
- If the option is turned OFF, members of your workspace can still login via SSO, going through your IdP, but they can also sign up via email. As a result, users that are not whitelisted on the IdP side can still login to your GitGuardian workspace.
Once SSO is forced, all the members of the workspace, including the owner, will have to connect using SSO. If the owner has never connected with SSO, you will not be able to activate the option.
Make sure that your SSO connection works before enforcing SSO. In case of issues, you can contact the support team for assistance.
Set up procedures
Google
- First, go to the Google Admin Console, and create a new custom SAML app.
- You will land on this page, where you can set your app name and general information for your SAML app that users will see when logging in.
- Click on "Continue". Now, you need to configure the Identity Provider in your GitGuardian dashboard. Use these values provided by Google:
Entity Id
field is filled with theEntity ID
Single Sign-On URL
field is filled with theSSO URL
X509 Cert
field is filled with the certificate from Google. Download it, usecat
and copy/paste the plaintext value.- On the GitGuardian dashboard, ensure that the checkbox "I have specified that the response assertions with RSA_SHA256 as signature algorithm and SHA256 as digest algorithm" is unchecked.
- Click on "Continue". You can now configure the Service Provider details provided by GitGuardian within Google:
ACS URL
field is filled with theACS URL
value.Entity ID
field is filled with theSP Entity id
value.Signed Response
must be checkedName ID format
must be set toEMAIL
Name ID
must be set toBasic Information > Primary Email
- Now, some mappings need to be done, they are quite straightforward:
first_name
is mapped to the user first namelast_name
is mapped to the user last name
- Finish your app configuration by clicking on "Finish". You might need to modify the SAML app user access, which is OFF for everyone by default.
Okta
- First, go to https://$YOUR_OKTA_DOMAIN-admin.okta.com/admin/apps/add-app, then click on "Create New App".
- You will land on this page, where you can set the general information for your SAML app that users will see when logging in.
- Click "Next". You can now configure basic settings:
Single sign on URL
field is filled with theACS URL
value on GitGuardian dashboard.Audience URI (SP Entity ID)
field is filled with theSP Entity ID
value on GitGuardian dashboard.Default RelayState
is left blankName ID format
must be set toEmailAddress
- Click on "Show Advanced Settings". Here make sure that both
Response
andAssertion Signature
are signed, and thatSignature
andDigest Algorithm
are respectively set toRSA-SHA256
andSHA256
. Assertions are not encrypted. - Now, some straightforward mapping needs to done:
first_name
is mapped the user first namelast_name
is mapped the user last name
- Finish your app configuration.
- Finally, we need to configure the Identity Provider in GitGuardian dashboard. First, click on "View Setup Instructions", then use these values:
Entity Id
field is filled with theIdentity Provider Issuer
Single Sign-On URL
field is filled with theIdentity Provider Single Sign-On URL
X509 Cert
field is filled with theX.509 Certificate
Auth0
- First, go to your dashboard, select "Application", and click on "Create Application"
- Choose "Regular Web Applications" as type and a name.
- Go to your application addons. Click on "SAML2 Web App" and then on "Settings"
- Fill the
Application Callback URL
with theACS URL
provided in GitGuardian dashboard. - Then, copy-paste these settings to configure mappings, name identifier and message signatures:
{
"mappings": {
"given_name": "first_name",
"family_name": "last_name"
},
"signatureAlgorithm": "rsa-sha256",
"digestAlgorithm": "sha256",
"signResponse": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
],
"includeAttributeNameFormat": "false"
}
- Finally, we need to configure the Identity Provider in GitGuardian dashboard. First, click on "Usage", then use these values:
Entity id
field is filled with theIssuer
valueSingle Sign-On URL
field is filled with theIdentity Provider Login URL
valueX509 Cert
field is filled with the plain text value of the Identity Provider Certificate- Ensure that the checkbox "I have specified that the response assertions with RSA_SHA256 as signature algorithm and SHA256 as digest algorithm" is unchecked.
Microsoft Entra ID
- First, go to the Microsoft Entra admin center, click on "Add enterprise application" at the bottom of the page, then "Create your own application".
- In the new panel that appears on the right, provide a name (e.g. "GitGuardian") and select "Integrate any other application you don't find in the gallery (Non-gallery)". Finally, click on the "Create" button.
- After a few seconds, you will be redirected to your newly created application. Click on "Set up single sign on" and choose the SAML sign-on method.
- Now, you need to configure the Service Provider in Microsoft Entra ID. Click on Edit in the "Basic SAML Configuration" box. Use these values:
Identifier (Entity Id)
field is filled with theSP Entity ID
value on GitGuardian dashboard.Reply URL (Assertion Consumer Service URL)
field is filled with theACS URL
value on GitGuardian dashboard.
Don't forget to click on "Save".
- Now, some mappings need to be done. Select 'Edit' on the 'Attributes & Claims' box. Click on 'Add new claim'. Leave 'Namespace' empty and use these values:
- Name:
first_name
+ Source attribute:user.givenname
Don't forget to click on "Save". - Name:
last_name
+ Source attribute:user.surname
Don't forget to click on "Save".
- Name:
- You also need to make sure that the Unique User Identifier (Name ID) claim is set to user.mail.
- Then, setup how responses and assertions are signed: Select 'Edit' on the 'SAML Certificates' box and choose 'Sign SAML response and assertion' as Signing Option and 'SHA-256' as Signing Algorithm:
- Now, you need to configure the Identity Provider in GitGuardian dashboard. Use these values:
Entity Id
field is filled with theMicrosoft Entra Identifier
Single Sign-On URL
field is filled with theLogin URL
X509 Cert
field is filled with the certificate. Download the Base64 certificate, usecat
and copy/paste the plaintext value.
- Test your app configuration by clicking on "Test".
Duo
- Configure an Authentication Source for Single Sign-On in the Duo Dashboard. Ensure that
FirstName
andLastName
are provided as attributes as described in the Duo documentation. - From the "Applications" tab, click on "Protect an Application", and choose to protect a "Generic Service Provider" with "2FA with SSO hosted by Duo (Single Sign-On)"
- Map the following from the Duo Generic Service Provider values into the GitGuardian dashboard:
Duo values | GitGuardian configuration |
---|---|
Entity ID | Entity ID |
Single Sign-On URL | Single Sign On URL |
Certificate contents | X509 Cert |
- Map the following from the GitGuardian dashboard into the Duo Generic Service Provider configuration:
Duo Service Provider configuration | GitGuardian values |
---|---|
Service Provider Entity ID | SP Entity id |
Assertion Consumer Service | ACS URL |
- In the SAML Response section, add the following mapping in "Map attributes"
IdP Attribute | SAML Response Attribute |
---|---|
First Name | first_name |
Last Name | last_name |
- Give the Service Provider configuration a recognizable name, such as "GitGuardian".
- Save.
Keycloak
Navigate to "Realm Settings" under the "General" tab in Keycloak, and copy the 'SAML 2.0 Identity Provider Metadata'. For example:
https://$YOUR_KEYCLOAK_DOMAIN/realms/master/protocol/saml/descriptor
.Go to the "Keys" tab, and click on the 'Certificate' button next to the RS256 algorithm. Copy the displayed certificate.
To configure the Identity Provider in the GitGuardian dashboard, use the following values:
- The
Entity Id
field should be filled with the Keycloak SAML 2.0 Identity Provider Metadata URL, excluding/protocol/saml/descriptor
from the end. Example:https://$YOUR_KEYCLOAK_DOMAIN/realms/master
. - The
Single Sign-On URL
field should include the Keycloak SAML 2.0 Identity Provider URL, excluding/descriptor
from the end. Example:https://$YOUR_KEYCLOAK_DOMAIN/realms/master/protocol/saml
. - In the
X509 Cert
field, paste the certificate copied in the previous step.
- The
To configure the "Client" (Service Provider) in Keycloak:
- Navigate to the Clients menu and click on 'Create client'. Use the following values:
- Set the
Client type
field toSAML
. - Fill the
Client ID
field with theSP Entity ID
from the GitGuardian dashboard.
- Set the
- Click on 'Next', then:
- Fill the
Home URL
field with the URL of your GitGuardian dashboard. For example:https://dashboard.gitguardian.com
(SaaS) orhttps://gitguardian.mycorp.local
(Self-Hosted). - Fill the
Valid Redirect URIs
andMaster SAML Processing URL
fields with theACS URL
.
- Fill the
- Navigate to the Clients menu and click on 'Create client'. Use the following values:
Click on 'Save', then configure these settings on the newly created client:
- In 'SAML capabilities', set the
Name ID Format
toemail
. - Set
Force POST Binding
andInclude AuthnStatement
toON
. - In 'Signature and Encryption', set
Sign documents
andSign assertions
fields toON
. Signature algorithm
should beRSA_SHA256
.- Set
SAML signature key name
toNONE
. - In 'Logout settings', set
Front Channel Logout
toON
. - Click on 'Save'.
- In the 'Keys' tab, set
Client signature required
toOFF
.
- In 'SAML capabilities', set the
Still in the same client, under the 'Client scopes' tab, edit the 'Dedicated scope and mappers for this client' and configure a new mapper for the first name:
- Choose
User Property
as theMapper Type
. - The
Name
field should befirstName
. - The
Property
field should befirstName
. - Set the
SAML Attribute Name
tofirst_name
and theSAML Attribute NameFormat
toBasic
.
- Choose
For the last name, create a second mapper:
- Again, select
User Property
for theMapper Type
. - The
Name
field should belastName
. - The
Property
field should belastName
. - Set the
SAML Attribute Name
tolast_name
and theSAML Attribute NameFormat
toBasic
.
- Again, select
In the "Client Scopes" tab, note the 'Assigned Default Client Scopes'. For example,
role_list
.Edit the client scope(s) listed in the previous step by navigating to the "Client Scopes" menu. Go to the "Mappers" tab, edit the Role list mapper, and ensure the
Single Role Attribute
field is set toON
.Finalize your setup by testing the SSO authentication using the
Login URL
provided in the GitGuardian dashboard SAML configuration page.
Generic procedure for SAML2-enabled IdP
1. Register GitGuardian on your Identity provider.
In order to integrate GitGuardian with your Identity Provider, you must first register GitGuardian (Service Provider) as an application on the IdP’s side. Follow these steps carefully:
- Navigate to Settings > Authentication
- Click on "Configure"
- On your IdP:
- Fill in the SAML endpoint provided by GitGuardian (ACS url, SP Entity id)
- Fill in Email or EmailAddress as the primary identifier (Name ID format).
Refer to our FAQ if this Name ID format is not available in your IdP. - Set RSA_SHA256 for the signature algorithm, and SHA256 for the digest algorithm for your response.
Some Identity Providers (IdPs) may require you to sign either the response message or the response assertions. GitGuardian provides the ability to specify this IdP behavior.
Note that at least one of these, either the response message or the response assertions, must be signed. - Configure
first_name
andlast_name
mapped attributes.
2. Register your IdP on GitGuardian’s side
Once GitGuardian is registered as an application on your IdP’s side, you need to provide your IdP metadata fields on GitGuardian (Service Provider side) in order to complete the integration:
- While still on the Authentication config page of your workspace settings, complete the form with:
- Entity Id [required]
- Single Sign On Url [required]
- Single Log Out Url [optional]
- X509 certificate [required]
- Submit the form to fully register the SAML integration.
- The setup is complete. Your workspace will have a dedicated SSO login url for your collaborators to sign in using your IdP.
You can register this SSO login url on the IdP side to enable the SSO flow with one click directly in the IdP interface. However this IdP-Initiated flow carries a security risk and is therefore NOT recommended. Make sure you understand the risks before enabling IdP-initiated SSO.
FAQ
How to verify that my SSO connection is working?
If you have not reserved an email domain, please remember your SSO login URL.
- Make sure to know your login credentials, i.e., your
email
andpassword
. - Log out of the application.
- Go to the SSO login URL, and log in by selecting the SSO option.
For additional security purpose, GitGuardian will ask you to submit your email and password to confirm your identity.
My Identity Provider (IdP) does not support "emailAddress" as the Name ID format. What do I do?
If your IdP does not support emailAddress
as the Name ID format, please contact us. We will allow you to use unspecified
as the Name ID format.
When using unspecified
as the Name ID format, you must ensure that you send the email addresses of your IdP users as an email_address
attribute. This is mandatory, as email is the unique identifier that GitGuardian uses for its users.
I want to configure MFA for GitGuardian. What do I do?
Combining SSO with MFA is more secure than using a simple SSO connection.
Leverage the MFA feature provided by all the SSO providers we support. We strongly advise that you enable the Force SSO setting to ensure that through SSO authentication, MFA is applied to all users authenticating to GitGuardian.