CodeSignal supports single sign-on (SSO) for your users to easily access your organization's CodeSignal account through your identity provider of choice.
If you are using a popular Identity Provider (IdP), such as Okta, OneLogin, or Google, please check out the following articles for provisioning:
- Configuring SSO with Google G Suite
- Configuring SSO with Microsoft Azure
- Configuring SCIM User Provisioning with Okta
- Configuring SCIM User Provisioning with OneLogin
- Enabling Just-in-Time Provisioning with SSO/SAML Integration
Before you can start using single sign-on for CodeSignal you will need to contact support@codesignal.com to configure it for your account and enable it for users who will need to use it.
SAML 2.0
Supported Flows
- Single sign-on initiated by the Identity Provider
The following values need to be provided in order to configure single sign-on with SAML 2.0:
- SAML 2.0 Endpoint: This is the URL of your Identity Provider that will be used to log-in to CodeSignal.
- Identity Provider Issuer: This is the Entity ID of your Identity Provider that will be used to identify your organization on CodeSignal.
- X.509 Certificate: This is a certificate provided by your Identity Provider that serves as a public key.
Here are the values that you might need to configure your single sign-on application:
- Login Redirect URI: https://app.codesignal.com/sso/saml2.0/authenticate
- Service Provider Entity ID: https://app.codesignal.com
Additionally, please provide a list of user emails (lowercase) for whom you want the single sign-on to be enabled if you don't want to enable it for all users in your CodeSignal account.
Configuring nameID
CodeSignal uses urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress as the nameID format. When configuring nameID on the Identity Provider, it should match the email address of a user on CodeSignal who belongs to the account you are configuring it for. The email address needs to be lowercase.
Note: Make sure that nameID remains in sync when you are making changes to user profiles in your Identity Provider. If a user doesn't have a valid nameID that matches their CodeSignal email address they will not be able to use single sign-on with CodeSignal.
Bindings
CodeSignal uses HTTP-POST binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)
Questions? Email support@codesignal.com