CodeSignal supports single sign-on (SSO) for your users to easily access your organization's CodeSignal account through Microsoft Azure or your identity provider of choice.
If you are using one of the following Identity Providers (IdP), such as Okta, OneLogin, or Google, please check out the following articles for provisioning:
- Configuring SSO with Google G Suite
- Configuring SCIM User Provisioning with Okta
- Configuring SCIM User Provisioning with OneLogin
- Enabling Just-in-Time Provisioning with SSO/SAML Integration
Before you can start using single sign-on for CodeSignal you will need to contact support@codesignal.com to configure SSO for your account and enable it for users who will need to use it.
SAML 2.0
Supported Flows
- Single sign-on initiated by the Identity Provider
The following values need to be provided in order to configure single sign-on with SAML 2.0:
- SAML 2.0 Endpoint: This is the URL of your Identity Provider that will be used to log-in to CodeSignal.
- Identity Provider Issuer: This is the Entity ID of your Identity Provider that will be used to identify your organization on CodeSignal.
- X.509 Certificate: This is a certificate provided by your Identity Provider that serves as a public key.
Here are the values that you might need to configure your single sign-on application:
-
Login Redirect URL: https://identity.codesignal.com/auth/sso/saml/authenticate
- Service Provider Entity ID: https://app.codesignal.com
Additionally, please provide a list of user emails (lowercase) for whom you want the single sign-on to be enabled if you don't want to enable it for all users in your CodeSignal account.
Configuring nameID
CodeSignal uses urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress
as the nameID
format. When configuring nameID
on the Identity Provider, it should match the email address of a user on CodeSignal who belongs to the account you are configuring it for. The email address needs to be lowercase.
Note: Make sure that nameID remains in sync when you are making changes to user profiles in your Identity Provider. If a user doesn't have a valid nameID that matches their CodeSignal email address they will not be able to use single sign-on with CodeSignal.
Bindings
CodeSignal uses HTTP-POST binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
)
Please note that admin access to CodeSignal is required in order to finalize the SSO configurations under the MY COMPANY SETTINGS tab.
-
Identity Provider SSO Login URL (needs to be IdP-initiated instead of SP-initiatied). This typically appears as follows: "https://myapps.microsoft.com/signin..."
To find this URL you should be able to go to https://myapps.microsoft.com/, log in, and then find the Entra ID app you've set up for CodeSignal there. Right-click it and copy the URL it's pointing to. It should look something like https://launcher.myapps.microsoft.com/api/signin/<app_id>?tenantId=<tenant_id>.
Note: This URL is for the SSO settings in CodeSignal only. In Entra ID under the Basic SAML Configuration settings, you should not specify any sign on URL as this is not necessary and will result in an error if you do. -
Identity Provider Issuer, which typically appears as follows: "https://sts.windows.net/<id>/"
-
The X.509 Certificate generated
Once complete, please contact support@codesignal.com to confirm the following for us:
-
What is the owned email domain with which you would like us to associate this?
-
Would you like us to enable JIT for your organization?
Questions? Email support@codesignal.com