Single Sign-On (SSO) in Buddy

Enabling SSO in a Buddy workspace allows its members to use their SSO provider's identities to sign in to Buddy. The SSO authentication can also be used by new users when creating brand new accounts.

Hint

Only workspace administrators can configure SSO.

Hint

Single Sign-On in Buddy can be configured using SAML or OIDC:

SAML

OIDC

Signing in & registration with SSO

Every workspace with SSO enabled has a dedicated page for signing in and registering new workspace members with the identity provider:

https://app.buddy.works/WORKSPACE_URL_HANDLE/sso

Hint

The account that you create or sign in to is automatically connected to your SSO provider's identity. If you already have an account on Buddy, do not create a new account after authenticating in your SSO provider.

Workspace SSO entry point

Disconnecting Buddy account and SSO provider

You can remove the SSO provider-user account pairing at any time. This way, you can help users who created new accounts instead of signing in to their existing ones with the SSO link and authenticating in their identity provider. Alternatively, you can remove this user's account to force them to create a new one.

To disconnect a user from the SSO provider, go to the People tab, find the member you want to disconnect, and select this option from the context menu:

Disconnecting a member from the SSO provider

Adjusting SSO configuration / disabling SSO

To reconfigure or disable the SSO, you must first disable it in the workspace. To do that, click the Disable SSO button. Disabling SSO disconnects all users from their identity provider. This means that all users will have to re-identify with the identity provider the next time they sign in to the Buddy workspace.

Disabling SSO

SSO and two-factor authentication (2FA)

To access SSO-enabled workspaces, users with active 2FA must authenticate in their identity provider and sign in with their 2FA-secured Buddy account.

The sign-in process follows this flow:

The user authenticates in the workspace SSO provider.
Upon successful authentication, the user is redirected to the Buddy sign-in screen.
The user signs in using their Buddy account.
The user confirms their identity with their selected 2FA authentication method: SMS or an app such as Google Authenticator.

This flow is valid for every workspace with SSO enabled, regardless of the provider.

Hint

Read the security documentation to learn about 2FA in Buddy.

SSO and users with multiple workspaces

Users who belong to multiple workspaces must provide their username and password as the second step of sign-in upon authenticating with the SSO. This is required to mitigate the risk of unwanted access to user's private workspaces by the SSO supervisor, and concerns only the workspaces where SSO is obligatory.

The sign-in process follows this flow:

The user authenticates in the workspace SSO provider.
Upon successful authentication, the user is redirected to the Buddy sign-in screen.
The user signs in using their Buddy account.

Hint

If SSO has been activated in the workspace but is not mandatory, the user can still access the workspace using their password and email.

Authentication and sessions

When users want to access resources in an SSO-enabled workspace, Buddy redirects them to the workspace's SSO provider to authenticate. After successful authentication, users are redirected back to Buddy, where they can access the requested resources.

The duration of an SSO session is 24 hours. After that time, users must re-identify themselves in the identity provider to continue.

The session timer starts whenever a user authenticates with the workspace's SSO provider in their browser. This means that the request to re-authenticate is not directly tied to the user signing in to Buddy, but rather to the user signing in to the workspace's SSO provider.

Security Mandatory SSO

Last update:
Sep 19, 2024