Mandatory SSO authentication
You can enable mandatory SAML SSO authentication for all workspace members for an additional layer of security. With this option enabled, users can access the workspace only if they sign in to the associated identity provider.
Enabling SAML SSO in a Buddy workspace allows its members to use their SSO provider's identities to sign in to Buddy. The SSO authentication can also be used by new users when creating new accounts.
To activate this feature, tick the box in the Single Sign-On tab in the workspace settings:
With mandatory SSO enabled, users can access Buddy's website, API, and Git services for as long as the session duration is set (24 hours by default).
If mandatory SSO is not enabled, workspace members can still log in using their Buddy email and password.
API and Git in SSO sessions
In workspaces with mandatory SSO, user's access to Git and API is limited to 24 hours since the moment of last login. In other words, the user has to sign in to Buddy via the browser every 24 hours in order to make pushes to the repository or call an API method. A user removed from the SSO will permanently lose access to the workspace after the selected period of time.
The length of access can be modified by administrators in the workspace settings:
Mandatory SSO sessions apply to:
- Personal access tokens
- Buddy OAuth application
- Repository access over HTTP (user/pass or token)
- Repository access over SSH (SSH key)
Script automation in SSO sessions
In some cases, manual browser login on time intervals can be problematic. For example:
- when we use the Buddy API to automate tasks or fetch data, e.g. for a custom dashboard with pipeline statistics
- when the Git repository is cloned during the deployment to the server
To solve this, users in the workspace can be 'marked as robots'. For such users, the session will never expire, allowing you to run Git and API requests undisturbed. To mark a user as robot, go to their profile, and select the option from the dropdown menu:
WARNING: Removing a user marked as robot from the SSO service doesn't remove their API and Git access permissions. Such user needs to be manually removed from the Buddy workspace.