SAML Single Sign-On (SSO) in Buddy

Enabling SAML SSO in a Buddy workspace allows its members to use their SSO provider's identities to sign in to Buddy. The SSO authentication can also be used by new users when creating brand new accounts.

SSO in Buddy works with any SAML-compliant identity provider. Read these documents to learn how to configure the integration with specific providers:

Only workspace administrators can configure SSO.

Generic SAML SSO configuration

Follow these steps to configure SSO for any SAML-compliant identity provider:

  1. Sign in to your Buddy workspace as an administrator and go to Workspace SettingsSSO.

Alternatively, use these links for cloud and on-premises versions respectively:
  1. Copy the values from these fields in Buddy and set them in your SAML-compliant identity provider:

    • SP Entity ID / Audience URI
    • ACS / SP Assertion Consumer Service / Single Sign-On URL

  2. Find these values in your identity provider and set them in Buddy:

    • SSO URL / SAML Endpoint / Identity Provider Single Sign-On URL
    • Issuer
    • Certificate

Workspace SSO configurationWorkspace SSO configuration

  1. Click Test configuration and enable the SSO on success. Buddy will redirect you to the SSO provider's login page.
  2. Sign in to authenticate and enable SSO in your workspace.

If Buddy is unable to connect to the identity provider, make sure that both the signature and the digest methods match those used by the provider (some providers do not use the most popular RSA-SHA256 / SHA256 methods).

Signing in & registration with SSO

Every workspace with SSO enabled has a dedicated page for signing in and registering new workspace members with the SAML identity provider:

The account that you create or sign in to is automatically connected to your SSO provider's identity. If you already have an account on Buddy, do not create a new account after authenticating in your SSO provider.

Workspace SSO entry pointWorkspace SSO entry point

Disconnecting Buddy account and SSO provider

You can remove the SSO provider-user account pairing at any time. This way, you can help users who created new accounts instead of signing in to their existing ones with the SSO link and authenticating in their identity provider. Alternatively, you can remove this user's account to force them to create a new one.

To disconnect a user from the SSO provider, go to the People tab, find the member you want to adjust, and select this option from the context menu:

Disconnecting a member from the SSO providerDisconnecting a member from the SSO provider

Adjusting SSO configuration / disabling SSO

To reconfigure or disable the SSO, you must first disable it in the workspace. To do that, click the Disable SSO button. Disabling SSO disconnects all users from their identity provider. This means that all users will have to re-identify with the identity provider the next time they sign in to the Buddy workspace.

Disabling SSODisabling SSO

SSO and two-factor authentication (2FA)

To access SSO-enabled workspaces, users with active 2FA must authenticate in their identity provider and sign in with their 2FA-secured Buddy account.

The sign-in process follows this flow:

  1. The user authenticates in the workspace SSO provider.
  2. Upon successful authentication, the user is redirected to the Buddy sign-in screen.
  3. The user signs in using their Buddy account.
  4. The user confirms their identity with their selected 2FA authentication method: SMS or an app such as Google Authenticator.

This flow is valid for every workspace with SSO enabled, no matter the provider.

Read the security documentation to learn about 2FA in Buddy.

SSO and users with multiple workspaces

Users who belong to multiple workspaces must provide their username and password as the second step of sign-in upon authenticating with the SSO. This is required to mitigate the risk of unwanted access to user's private workspaces by the SSO supervisor, and concerns only the workspaces where SSO is obligatory.

The sign-in process follows this flow:

  1. The user authenticates in the workspace SSO provider.
  2. Upon successful authentication, the user is redirected to the Buddy sign-in screen.
  3. The user signs in using their Buddy account.

If SSO has been activated in the workspace but is not mandatory, the user can still access the workspace using their password and email.

Authentication and sessions

When users want to access resources in a SAML SSO-enabled workspace, Buddy redirects them to the workspace's SSO provider to authenticate. After successful authentication, users are redirected back to Buddy, where they can access the requested resources.

The duration of an SSO session is 24 hours. After that time, users must re-identify themselves in the identity provider to continue.

The session timer starts whenever a user authenticates with the workspace's SSO provider in their browser. This means that the request to re-authenticate is not directly tied to the user signing in to Buddy, but rather to the user signing in to the workspace's SSO provider.

Get Started

Sign up for free and deploy your project in less than 10 minutes.