Configuring Single Sign-On (SSO) with CodeSignal

CodeSignal supports single sign-on (SSO) for your users to easily access your organization's CodeSignal account through your identity provider of choice.

If you are using a popular Identity Provider (IdP), such as Okta, OneLogin, or Google, please check out the following articles for provisioning:

• Configuring SSO with Google G Suite
• Configuring SCIM User Provisioning with Okta
• Configuring SCIM User Provisioning with OneLogin
• Enabling Just-in-Time Provisioning with SSO/SAML Integration

Before you can start using single sign-on for CodeSignal you will need to contact support@codesignal.com to configure it for your account and enable it for users who will need to use it.

SAML 2.0

Supported Flows

• Single sign-on initiated by the Identity Provider

The following values need to be provided in order to configure single sign-on with SAML 2.0:

• SAML 2.0 Endpoint: This is the URL of your Identity Provider that will be used to log-in to CodeSignal.

• Identity Provider Issuer: This is the Entity ID of your Identity Provider that will be used to identify your organization on CodeSignal.
• X.509 Certificate: This is a certificate provided by your Identity Provider that serves as a public key.

Here are the values that you might need to configure your single sign-on application:

• Login Redirect URI: https://app.codesignal.com/sso/saml2.0/authenticate
• Service Provider Entity ID: https://app.codesignal.com

Additionally please provide a list of user emails for whom you want the single sign-on to be enabled if you don't want to enable it for all users in your CodeSignal account.

Configuring nameID

CodeSignal uses urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress as the nameID format. When configuring nameID on the Identity Provider, it should match the email address of a user on CodeSignal who belongs to the account you are configuring it for.

Note: Make sure that nameID remains in sync when you are making changes to user profiles in your Identity Provider. If a user doesn't have a valid nameID that matches their CodeSignal email address they will not be able to use single sign-on with CodeSignal.

Bindings

CodeSignal uses HTTP-POST binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)

Questions? Email support@codesignal.com for assistance.