BasicsPipelinesActions & ServicesEnvironmentsIntegrationsTargetsDomainsSelf-HostedAgents & TunnelsYAMLBuddy GitTroubleshootingAPI

Group synchronization

You can manage access to resources in Buddy directly in your SSO provider by enabling users and group synchronization in the workspace settings.

Hint
For now, group synchronization is restricted to OneLogin, with Okta currently in beta. Reach out to support@buddy.works if your company requires group synchronization from a specific SSO provider.

OneLogin configuration

Warning
This guide assumes that you have already configured the OneLogin SAML or OneLogin OIDC SSO application for Buddy and assigned it to your team members, as Buddy can only access groups with users added to a corresponding OneLogin application.
  1. The first step is configuring the OneLogin integration with Buddy.
  2. With the integration added, sign in to your OneLogin portal and assign users to groups that you want to reproduce in Buddy.
  3. Once everything is configured on the provider's side, go to the SSO settings in Buddy and click Enable users & groups synchronization. Ticking the box expands additional settings:

Image loading...SSO group sync settings

  • Integration – the integration used to authenticate Buddy in OneLogin
  • Application – the application used to configure SSO in Buddy
  • Provider group to receive admin rights in Buddy – the name of the group in the SSO provider whose members will receive admin rights in the workspace. Removes admin rights from all users who do not belong to the selected group on the provider's side (with the exception of the workspace owner)
  • Remove unmatched groups (optional) – removes all groups not matched with the group in the SSO provider. Removing a group in the provider will also remove it in Buddy. This option does not remove users from the workspace. Users who do not belong to any group are disconnected from the SSO provider and can be removed manually.
  1. Click Save changes to apply the settings and synchronize users.

Microsoft Entra group synchronization

Warning
This assumes that you have already set up Azure SAML SSO for your workspace and added users to the application in Azure.
  1. The first step is configuring the Azure integration with Buddy.
  2. With the integration added, sign in to your Azure portal and assign users to groups that you want to reproduce in Buddy.
  3. Once everything is configured on the provider's side, go to the SSO settings in Buddy and click Enable groups synchronization. Ticking the box expands additional settings:

Image loading...Microsoft Entra group sync settings

  • Integration – the integration used to authenticate Buddy in Azure
  • Application – the application used to configure SSO in Buddy
  • Unique User Identifier (Name ID) – the attribute used to identify users. Available options:
    • user.userprincipalname (default) – uses the user's User Principal Name
    • user.mail – uses the user's email address
    • user.objectid – uses the user's Object ID
  • Provider group to receive admin rights in Buddy – the name of the group in the SSO provider whose members will receive admin rights in the workspace. Removes admin rights from all users who do not belong to the selected group on the provider's side (with the exception of the workspace owner)
  • Remove unmatched groups (optional) – removes all groups not matched with the group in the SSO provider. Removing a group in the provider will also remove it in Buddy. This option does not remove users from the workspace. Users who do not belong to any group are disconnected from the SSO provider and can be removed manually.
  1. Click Save changes to apply the settings and synchronize users.
Hint

For Microsoft Entra group synchronization to work properly, you need to configure API permissions in Azure.
Go to Azure → Microsoft Entra ID → App registrations → select your application → Manage → API permissions and add the following Microsoft Graph scopes of Application permissions type:

  • Application.Read.All
  • Directory.Read.All

Image loading...Microsoft Graph API permissions selection

These permissions are required for Buddy to access and synchronize groups from your Microsoft Entra directory.

Automatic & manual synchronization

By default, synchronizaton is run:

  • automatically every 10 minutes
  • every time a new user registers to the workspace with SSO
  • on every change to SSO settings

You can also synchronize manually by clicking the Sync now link in the settings for immediate effect:

Image loading...Manual sync option

Warning
When synchronization is active, managing users, groups, and admin rights is restricted exclusively to your SSO provider (OneLogin, Okta, or Microsoft Entra). It is no longer possible to do it in Buddy.

Last modified on Aug 21, 2025

Previous pageMandatory SSONext pageGeneric