SAML SSO in organizations
English 日本語
GitHub

SAML SSO in organizations

Organization members can log into or sign up to Bitrise using their own SAML SSO provider’s system. With SAML SSO, organizations will be able to apply the security guidelines of their SAML SSO provider when accessing their Bitrise organization.

In this guide we cover the following topics:

Before connecting SAML SSO to your organization

Make sure:

  • you have a SAML SSO provider (Identity Provider) that you can connect Bitrise to.
  • your account on Bitrise has an organization. If it doesn’t have an organization, go ahead and create one. Setting up SAML SSO is the same for existing and brand new organizations on Bitrise.
  • as with other organization management actions, only the organization owner can set up SAML SSO to a Bitrise organization.

Setting up SAML SSO for a Bitrise organization

In this tutorial, we describe how organization owners can set up their SAML SSO and invite organization members to set up their own connections.

  1. Go to your organization’s Single Sign On tab on bitrise.io.
  2. Copy the Single Sign-On URL. You will need this URL to add Bitrise on your SAML SSO provider’s site.
  3. Log into your own SAML SSO provider.
  4. Add Bitrise using the copied Single Sign-On URL. You’re generating your Single Sign-On (SSO) credentials here which you will need in a minute on Bitrise.
  5. Add the generated SSO credentials to the Identity provider sign-on URL and Certificate fields on the Single Sign On tab.
  6. Click the Configure SSO button.

If you’ve completed the steps, you and org members should get a verification email about SAML SSO connected to the respective organization.

Enabling SAML SSO

Now that the org owner has set up SAML SSO, everyone in the organization has to enable SAML SSO before logging into their org via SAML SSO.

  1. Bitrise sends a verification e-mail to all organization members. This email contains a Sign In via SSO button and a URL. Org members are prompted to sign in to Bitrise by clicking the Sign In via SSO button or using the provided URL.

    The email also shows the org owner’s email address (should you need to contact him/her.)

  2. Now you are redirected to your SAML SSO provider’s site where you have to provide your email address associated with your Bitrise organization.

    If you provide a different Bitrise email address on your SAML SSO provider’s site which is not related to that particular organization, you will get the below error message. Log in with the right email address of the organization.

  3. You’re directed to the Allow "organization name" to sign you in page.

If all went well, you should be landing on our Bitrise Dashboard.

Checking SAML SSO statuses on Bitrise

Now that the org owner has set up SAML SSO for the organization and all org members (including the owner) have enabled their SAML SSO, everyone in the org can check their SAML SSO statuses. There are some extra features that only the org owner can access so we will show what org members and the org owner can see separately.

Organization owner

  1. Go to your organization’s profile page.

  2. Click Single Sign On on the left menu. This Single Sign On tab is only available for the org owner!

    You will see the Review Users and the Disable SSO buttons:

    /img/disable-saml.jpg

    Disable SSO disables SAML SSO for all org members. Once disabled, org members will be able to sign in with the regular sign-in procedure. Please note that an individual org member can only be disabled at your own SAML SSO provider’s site!

    Review Users takes you from the Single Sign On tab to the People tab where you can check the org member’s SAML SSO status.

Organization members

  1. Go to your organization’s profile page.
  2. Click People on the left menu.

  3. Check your (or other organization members’) SAML SSO status under Members.

About SAML SSO enforcement

Enforcing SAML SSO on your organization provides an extra layer of security: you can enforce your own security guidelines to your Bitrise organization (for example, password format requirements, two-factor authentication). This will make SAML SSO the only way for logging in/singing up to the organization. If you invite more org members to a SAML-enforced organization, they’ll have to enable their SAML SSO connection first to join the organization.

Enforcing SAML SSO on an organization

Once all org members have enabled their SAML SSO related to the organization, the owner can enforce SAML SSO on the organization with a simple toggle.

  1. Go to your organization’s Single Sign On tab.
  2. Toggle the switch to the right to enforce SAML SSO.

  3. Click Save Changes.

Can’t enforce SAML SSO on your organization?

In some cases the org owner cannot enforce SAML SSO on the organization because org members have not enabled their SAML SSO connection yet.

Logging in via SSO with a Bitrise account

If SAML SSO connection has been already added to your organization and you are currently logged out of Bitrise, you can easily log into your organization.

  1. Click Login via SSO on our login page.
  2. You will be redirected to the Initiate Single Sign-on page.
  3. Provide your organization name.
  4. Click Continue to log in. You will be redirected to your own SSO provider’s page.
  5. Provide your email address associated with the organization in Bitrise and follow your SAML SSO provider’s instructions.

Expired SAML SSO certificate

If your SAML SSO certificate has expired and you cannot log into Bitrise through SAML SSO, we advise you to contact our Support team, who will be happy to assist you

Logging in via SSO without a Bitrise account

If you do not have a Bitrise account yet and an org owner invites you to his/her organization via email, you can easily sign up to Bitrise and connect to the respective organization! Our Sign In via SSO email is organization-specific so you’re just a couple of clicks away from accessing the right Bitrise organization!

  1. Find the invitation email you got from Bitrise (letsconnect@bitrise.io) in your mailbox.

    (If you received an URL instead of an email from the org owner, have no fear! Opening the link in a new tab will take you to the Almost there... page. Follow the instructions there. You will receive a confirmation email from Bitrise which will include a link to complete the sign-up procedure.)

  2. Click Sign In via SSO or copy the provided URL in a new tab to acknowledge the connection. You will be redirected to your own SAML SSO provider’s site.
  3. Provide your email address. (It should be the same email address where you received the invitation.)
  4. Follow your SAML SSO provider’s instructions.
  5. You will be redirected to our Almost there... page.
  6. Provide a username you wish to use in Bitrise.
  7. Click Finish Signing Up to complete your sign up.

If all goes well, you land on our Bitrise Dashboard.

Disabling SAML SSO

Org owners can disable an established SAML SSO for the organization with a click of a button on the Single Sign On tab. Please note that if you delete someone from your IdP, you have to delete that org member from Bitrise as well.

Disabling an organization’s SAML SSO

  1. Go to the Single Sign On tab of your organization.

  2. Click Disable SSO.

    A confirmation pop-up appears where you can confirm/cancel your action. Please note that by clicking the Disable SSO button, you will disable SAML SSO for all organization members. Once it’s done, org members will be able to log in through their normal Bitrise credentials.

You will receive an SSO has been disabled email from Bitrise (letsconnect@bitrise.io) which confirms the disabled SAML SSO for the organization.

Disabling one org member’s SAML SSO

Please note if you click the x next to an org member’s name, you remove that person from the organization but his/her SAML SSO is yet to be disabled!

  1. Go to your SAML SSO provider’s site.
  2. Disable the org member there. Please note that if you fail to do this, the org member will able to re-authenticate again to Bitrise using the IDP connection.