GitKraken offers a Single Sign On (SSO) option as an easy way to sign in to your account. This is only for use with the cloud versions of GitKraken, it is not available for the serverless options.
Once your organization has set up SSO with an Identity Provider (IdP), the Owner or an Admin on your GitKraken organization can link your organization to that identity provider. Then, any users associated with your IdP can login to GitKraken apps and services. 🎉
Note: You must have an active GitKraken Teams or Enterprise License to enable SSO
What is Single Sign On (SSO)?
The Wikipedia definition of SSO:
“Single sign-on is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.”
The above diagram depicts what a typical SSO setup entails. Here is some relevant terminology:
Directory Server: A Directory Server is an application that stores information about the “objects” that belong to an organization. An object is typically something like: printers, computers, shared folders, users, or groups. Some objects can contain other objects which then allows them to reflect hierarchical structures.
Examples of Directory Server applications are:
Identity Provider: An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information as well as provides authentication services to relying applications within a distributed network. An IdP provider stores 3 main components: Users, Groups, and Applications.
Examples of Identity Provider applications are:
The Identity Providers provide services that allow third party applications to authenticate their users. The authentication mechanism they provide is called “Oauth”, which allows third party applications to authenticate users without accessing/storing their password.
Third party applications: These are the applications that use IdP services to authenticate users. The end user is redirected to the IdP to instead login there. Then the Idp directs back to the 3rd party app to complete the login, confirming that the user is who they claim to be.
Examples of third party apps:
SSO in GitKraken
GitKraken is a 3rd party application in this scenario. You (or an Owner/Admin) setup which IdP(s) you want to use and we will use them to log them in. If your organization has already set up SSO with an IdP and in GitKraken, simply sign in and you are all set!
If you need to set up SSO for your GitKraken Organization see Setting up SSO on a GitKraken Organization
Supported Identity Providers
GitKraken may initiate an Oauth authentication flow with the following supported Identity Providers (IdPs):
Note: Your IdP(s) will first need to be configured before setting up the connection in GitKraken.
While we do not assist in setting up the identity provider, the example IdP setup section gives step-by-step instructions for what this typically looks like.
License Requirements
Single Sign On is available as part of the teams and enterprise plans.
Setting up SSO on a GitKraken Organization
First, some quick notes:
- SSO is set up at the Organization level. Each organization can have 0,1, or many identity providers connected simultaneously.
- SSO can only be set up by the Owner or by an Admin of the organization.
How to set up SSO:
-
Login and navigate to the organization you want to enable SSO for.
-
On the left menu click on SSO.
If you do not see the SSO option, confirm that: 1. You are logged in as the Owner or an Admin for this organization 2. Your organization has either a Teams or Enterprise subscription
- Click the
Enable SSO
checkbox and you will be presented with some additional fields:
Organization Domain Name: The domain that is used for everyone who wants to use SSO to login. Each user must have a matching domain in their email address and each user must be defined in the IdP.
There is only one domain allowed per GitKraken organization, and it must be unique. If your domain is already in use you can contact support for help.
JIT, Enable Just In Time Provisioning: This allows users in this domain to login with their email and be automatically provisioned a license. In order for a user to be automatically given a license:
- Just in time provisioning must be enabled (JIT option checked)☑.
- The user email must be part of the SSO domain on the IdP.
- There must be an available license on the GitKraken Organization.
When a user logs in for the first time using SSO, and all three of the above conditions are met, they will be automatically given a GitKraken license.
-
Click on to store the SSO configuration. Once this is completed you will see the button appear.
-
Click the button to set up the connection between your GitKraken Organization and the Identity Provider. You will now be able to configure the connection using Metadata.
Add SSO Connection using Metadata
Click on and you will see the following fields:
- Identity Provider: choose a supported provider from the drop-down.
- IdP Metadata URL /IdP Metadata: depending on the IdP we can use one or both of these options for setting up the SSO connection.
- Don’t enable this connection immediately ✅ by default new connections are automatically enabled. This checkbox will create the connection but users will not be able to login using SSO with this IdP until it is enabled.
Example 1: setting up Okta
Okta is configured using a metadata file.
- Access your Okta instance.
- Navigate to the Application that you want to use. See our Okta example for an example of how to make one.
- Click on “Sign on” and scroll down to SAML Signing Certificates:
- Notice that there is just one Active. Click on Actions for the active certificate.
- Click on Download certificate and you will be prompted with an xml file.
- Copy this file content and paste it into the IdP metadata field in the SSO Create Connection form.
- Click on . Optionally, you can check “Don’t enable this connection immediately” to not automatically enable this connection and prevent users from using it.
Example 2: setting up Azure Active Directory
Azure is configured using a metadata URL.
- Access to your Azure account, and go to Active Directory -> Enterprise Applications.
- Navigate to the application that you want to use. See our Azure Active Directory example for an example of how to make one.
- On the left menu select Single Sign-on.
- Scroll down to the section: SAML Signing Certificate.
- Copy the App Federation Metadata Url.
- Paste this URL into the Idp metadata URL field in SSO Create Connection:
- Click on . Optionally, you can check “Don’t enable this connection immediately” and choose to later enable it.
Note: “Just in time provisioning” is either turned on or turned off for all connections in the Organization.
Logging in using SSO
When logging into GitKraken Desktop, GitLens, account.gitkraken.com , or anywhere else to access your GitKraken account, you will see the Sign In with SSO
option.
After clicking Sign in with SSO, the SSO form will open and ask for an email address to use for SSO login. Enter your email address and GitKraken will determine which SSO option(s) are available and present them to you. Click an option and you will be sent to the IdP login page to complete the process.
Example Identity Provider (IdP) setup instructions
Note: These are example instructions to help you with Identity Provider setup. In most cases all you will need from us is the callback URL: https://api.gitkraken.com/oauth/sso/callback. If you need assistance please contact your IdP administrator or consult the IdP documentation for help.
G Suite
How to Create SAML Application in G Suite:
-
Click on Apps and then Web and mobile apps.
- Click on Add app.
- Click Add custom SAML app.
- Type in your app name (such as GitKraken SSO).
- Copy your SSO URL and Certificate.
- Enter the callback URL
https://api.gitkraken.com/oauth/sso/callback
for ACS URL and Entity ID.
- Add desired attributes and click on Finish.
- Click on TEST SAML LOGIN.
- Click on ALLOW ACCESS.
- Select ON for everyone and save.
Now you are all set to setup your SSO on a GitKraken Organization
Azure Active Directory
How to create SAML application in Azure Active Directory:
- In a browser, go to Azure login portal.
- Enter your azure credentials and login.
- Go to Azure Active Directory from search bar.
- In the left menu click on Enterprise applications.
- Click on New application from the top of the page.
- Select Create your own application.
- Give your application name (such as “GitKraken SSO”) and select “Integrate any other application you don’t find in the gallery (Non-gallery)”.
- Select Single sign-on from the left sidebar and then choose SAML.
- Click the edit icon in the top right corner to configure SAML.
- Input the Entity ID URI and Reply URL. Both of these should direct to
https://api.gitkraken.com/oauth/sso/callback
for GitKraken SSO.
Now you are all set to setup your SSO on a GitKraken Organization
Okta
Note: Logging through Okta Dashboard is not supported.
How to Create SAML Application in Okta:
- In a browser go to the Okta login page.
- Enter your Okta credentials and login.
- Go to admin dashboard and select Applications in navigation bar.
- Click on Add Application.
- Select Create New App.
- Select SAML 2.0 as a Sign on Method and click to next button.
- Enter a name of application (such as “GitKraken SSO”).
- Configure SAML Integration. The Single sign on URL and Audience URI fields should direct to
https://api.gitkraken.com/oauth/sso/callback
.
Step 9: Scroll down to the attribute statement and fill in the optional fields.
Step 10: Select “I am an Okta customer adding an internal app” from option menu and then click to finish.
Now you are all set to setup your SSO on a GitKraken Organization
Ping Identity
How to Create SAML Application in Ping Identity
-
Create an account or sign in your existing one.
-
Go to the home page and click on Add Environment.
- Select the appropriate solution based on your need (in this guide, we use Customer solution) and click Next.
- Select PingOne SSO, then click Next.
- Type in your environment name (in TRIAL ENVIRONMENT NAME), then click Finish. Now your environment is created. Go ahead and click on it.
- Select Identities to add some users. Once you are done adding them click on Groups, and then click on the plus button to add a group. (Make sure to add users with their email addresses).
- Select Groups, then click on the plus button to add a group. Once you have that, you can add the users to your group.
- Select Connections.
- Click on the plus button.
- Enter a name for your application, then select SAML Application. Next click on the Configure button which appears once you select your application type.
- Select Manually Enter. Type in the URL for ACS URLs and Entity ID, then click on Save.
(URL:https://api.gitkraken.com/oauth/sso/callback
))
- Click on the toggle button so the users would have access to your application.
- Click on Attributes then add email as your new attribute.
- Time to add the group we created in Step 8.
- Select the pencil icon pictured below.
- Click on the plus icon to add the group, then click on Save.
- Go to the Configuration tab to copy your IDP Metadata URL and download your metadata (Download Metadata button).
- On app.gitkraken.com, go to your organization and click on SSO then click on Enable SSO. Type in your domain in Organization Domain Name with .com . Then click on Configure SSO Connection.
- Click on Add Using Metadata and type in a Connection name and from the Identity Provider select Ping Identity. Then use the IDP Metadata URL and Metadata from step 18 for IdP Metadata URL and IdP Metadata. Click on Create Connection
- Now the users who were added in step 7 can Sign in with SSO.