bitrise.io

Setting up Azure AD SSO for Bitrise

Last updated at 2021-02-17

SAML SSO with Velocity and Enterprise Build plan

Please note that SAML SSO is only available for a Workspace with the Enterprise Build and Velocity plans.

Since the SAML SSO feature is tied to the above plans, if you decide to downgrade, you will lose this feature. All Workspace members will receive an email about the downgrade and you’ll have two weeks to re-upgrade if you wish to use SAML SSO in your Workspace again.

Before you start

Before connecting SAML SSO to your Workspace, make sure:

If you are a Workspace owner on Bitrise, you will have to use the Single Sign-On tab to set up a SAML SSO connection between your SAML SSO provider and your Bitrise Workspace.

  1. On your Bitrise Dashboard click your avatar, then click Profile settings in the dropdown. Account selector dropdown
  2. The Overview page displays all the Workspaces you’re a member of. Select the Workspace where you wish to set up the SAML SSO connection.
  3. On the left menu bar, click the Single Sign-On which will take you to the Enable Single Sign-On page.
  4. Continue with Adding Bitrise to Azure AD.

Adding Bitrise to Azure AD

  1. Log into Microsoft Azure as an admin.
  2. Click the Azure Active Directory icon on the Azure services page.
  3. Click Enterprise applications under Manage.
  4. Click New Application to add Bitrise as a new app to your account.
  5. Type Bitrise in the What’s the name of your app? field. The Integrate any other application you don’t find in the gallery button should be automatically selected. Hit Create.You will find your newly created app listed on the All Applications page.
  6. Click the Bitrise app to go to its Overview page.
  7. Continue with Configuring Bitrise as a SAML SSO app.

Configuring Bitrise as a SAML app

A more intricate part of the procedure is to set up SAML between the Bitrise app and Azure AD. We will be jumping back and forth from the Bitrise Workspace account to the Azure portal so make sure both pages are available. In practice what this means is the Workspace owner should be logged into Bitrise and the Azure AD admin should be logged into Azure AD portal.

If you have followed the steps above, by now you should be on the Overview page of the added app where you can further configure your app.

Let’s do this!

Adding users/groups to the app on Azure AD

Before setting up SAML to the app, you have to add all the users/groups to the app in Azure AD who will use SAML SSO to log into the Bitrise Workspace. In other words, every Bitrise Workspace member must be added as user in Azure AD.

  1. Select Users and groups from the left menu.
  2. Click + Add user/group.
  3. On the Users page of Add Assignment, select users from the list and click Select. Once it’s done, you can select a role for users under the Select a role dropdown.
  4. On the Add Assignment page, click Assign to finish adding users.

Setting up SAML SSO between Bitrise and Azure AD

  1. Click Single sign-on on the left menu. Select SAML.
  2. You will land on the Set up Single Sign-On with SAML page.
  3. Click the pencil symbol at Basic SAML Configuration to edit two fields.
  4. Add Bitrise as the Identifier (Entity ID). Leave this window open! We will come back to it with some information from Bitrise in a second.
  5. Head back to your Workspace on Bitrise.
  6. Click the Single Sign On tab and click the Copy Link button to copy the Assertion Consumer Service URL (ACS URL) from Bitrise.
  7. Let’s head back to the Basic SAML Configuration window of Azure AD.
  8. Paste the Assertion Consumer Service URL from Bitrise to the Reply URL field on the Basic SAML Configuration page of Azure AD.
  9. Click Save and close the Basic SAML Configuration window./img/sso3-2.jpg
  10. On the Single sign-on page of Azure AD, scroll down to the Set up Bitrise section.
  11. Copy the Login URL and paste it to the SAML SSO provider Single Sign-On URL (SSO URL) field on Bitrise.
  12. On the Single sign-on page of Azure AD, scroll up a bit to the SAML Signing Certificate section.
  13. Click Download next to Certificate (Base64) to download the certificate to your local computer.
  14. Open the certificate file and copy/paste its content into the SAML SSO provider certificate field of Bitrise or you can upload the file itself from your local computer too.

    (If manually adding the content, you will need the full content (including ----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- as well).

  15. Hit Configure SSO on Bitrise.

You have successfully set up Bitrise as a SAML SSO app on Azure AD. Continue with Authorizing SAML SSO.

Authorizing SAML SSO

Now that the Workspace owner has set up SAML SSO, everyone in the Workspacehas to authorize SAML SSO before logging in to their Workspace via SAML SSO.

  1. Make sure you’re logged into Bitrise in the usual way. Use the same browser window to continue.
  2. Bitrise sends a verification e-mail to all Workspace members. By clicking the Log In via SAML SSO button or using the provided URL, Workspace members can authorize themselves for SAML SSO login. The email also shows the Workspace owner’s email address (in case you would need to contact them.) Click the Log In via SAML SSO button or copy-paste the URL to a NEW TAB of the same browser.
  3. You’re directed to Bitrise to Allow “Workspace name” to sign you in page.
    • Click Authorize if you trust the Workspace to control your Bitrise account sign-in process.
      If you’re already logged in to your SAML SSO provider, you’ll be automatically taken to your Bitrise Dashboard.
      If you’re not, you’ll be prompted to log in on your SAML SSO provider’s site, and then taken to your Bitrise Dashboard.
    • Click Don’t Allow if the invitation email is from an untrusted source.

      SAML SSO in Workspaces

      Note that if you are using a different non-matching email address, you will get the below error message. Make sure you log in with the right email address both on Bitrise, as well as on your SSO provider site.

If all went well, you should be landing on our Bitrise Dashboard. As a Workspace owner, you might want to check how Workspace members are progressing with their SAML SSO connection: check Workspace member’s SAML SSO statuses or invite new members to the Org.

What’s next?

Learn how you can log into your Workspacenow that SAML SSO is set up.

You might wan to check out Workspace member’s SAML SSO statuses once the connection is up.

You might want to enforce SAML SSO login to the Org once all Workspace members have authorized their SAML SSO connection to the Workspace.

Disabling SAML SSO is very simple - learn how.

SAML SSO on Bitrise

If you’d like to learn more about SAML SSO on Bitrise, check out our SAML SSO in Workspaces guide.