Mandatory SSO authentication

You can enable mandatory SSO authentication for all workspace members for an additional layer of security. With this option enabled, users can access the workspace only if they sign in to the associated identity provider.

To activate this feature, tick the box in the Single Sign-On tab in the workspace settings:

Image loading...Enabling mandatory SSO

Hint
With mandatory SSO enabled, users can access Buddy's website, API, and Git services for as long as the session duration is set (24 hours by default).
Warning
If mandatory SSO is not enabled, workspace members can still log in using their Buddy email and password.

API and Git in SSO sessions

In workspaces with mandatory SSO, user's access to Git and API is limited to 24 hours since the moment of last login. In other words, the user has to sign in to Buddy via the browser every 24 hours in order to make pushes to the repository or call an API method. A user removed from the SSO will permanently lose access to the workspace after the selected period of time.

The length of access can be modified by administrators in the workspace settings:

Image loading...Setting session duration

Mandatory SSO sessions apply to:

  1. Personal access tokens
  2. Buddy OAuth application
  3. Repository access over HTTP (user/pass or token)
  4. Repository access over SSH (SSH key)

Script automation in SSO sessions

In some cases, manual browser login on time intervals can be problematic. For example:

  1. when we use the Buddy API to automate tasks or fetch data, e.g. for a custom dashboard with pipeline statistics
  2. when the Git repository is cloned during the deployment to the server

To solve this, users in the workspace can be 'marked as robots'. For such users, the session will never expire, allowing you to run Git and API requests undisturbed. To mark a user as robot, go to their profile, and select the option from the dropdown menu:

Image loading...Marking user as robot

Danger
WARNING: Removing a user marked as robot from the SSO service doesn't remove their API and Git access permissions. Such user needs to be manually removed from the Buddy workspace.

Last modified on Sep 23, 2024