Configure Self-Serve Single Sign-On (SSO)
Group Admins on a Snyk Enterprise plan who use SAML for SSO can configure Snyk Single Sign-on themselves. Ensure you have at least one Group and Organization where you can assign new users. See Manage Groups and Organizations.
To enable the self-serve SSO option, contact your Snyk account team or Snyk support. Note that this option does not accommodate custom role mapping. To set up custom role mapping with SSO for your Snyk Group, contact your Snyk account team.
The following video demonstrates the process and steps for setting up single sign-on when using SAML.
Use SAML for SSO: process overview
The process of establishing trust between your identity provider (IdP) and Snyk requires that the Group Admin do the following:
Configure your identity provider (IdP) by using the details about the Snyk environment displayed on-screen and user attributes.
Enter SAML attributes from your identity provider(IdP) on the Group SSO Settings page.
Configure Snyk SSO settings, choosing how you want your members to log in.
Verify SSO login to confirm the login process is working correctly.
After SSO is configured both from Snyk and your company's network, a trust relationship is established with Snyk, Auth0 (on behalf of Snyk), and your network. Any sensitive data is encrypted and stored in Auth0 only for the purposes of enabling user logins.
Although not all the examples following this page cover verifying the Snyk signature, it is recommended that you improve the trust relationship and ensure integrity even further. Follow your respective IdP's documentation to add SP signature verification where possible.
User login
Users are provisioned to Snyk when they log in. If the new user role selected is Group Member, the new user sees only a list of your Organizations until the admin adds them to the appropriate Organizations.
High-level configuration steps
Configuring the IdP
In the Snyk web UI, navigate to the Group menu and select Settings.
Select SSO and copy the needed information in Step 1, namely Entity ID, ACS URL, and the Snyk signing certificate URL.
Enter these details in the IdP where appropriate and upload the Snyk signing certificate after downloading it locally in case the IdP does not accept only the certificate URL.
Before moving back to the Snyk UI, copy the IdP provided sign in URL and copy or download the IdP-provided X509 signing certificate details.
Configuring Snyk
In Step 2 of the SSO settings page in the Snyk web UI, enter the details collected from the IdP by providing the sign in URL, sign out URL if available and desired, the IdP signing certificate and domains and subdomains that will be served over the SSO connection.
In case the connection requires HTTP-Redirect protocol binding, change that option from the default HTTP-POST.
Finally, verify if an IdP-initiated workflow should be enabled and then select Create Connection or Save changes if you are modifying an existing connection.
Setting up user provisioning
To make sure users are assigned the correct role when logging in for the first time, choose either Group member, Org Collaborator or Org Admin. Refer to choosing a provisioning option for details on the options in this step.
In the section Profile Attributes, the fields are auto-populated but verify that Email, Name and Username, if known, exactly match the corresponding keys in the SAML payload raw JSON sent by the IdP to Snyk. Select Save Changes and move to the final step where you verify the setup.
Testing and verifying the configuration
Provided all details have been entered correctly, the direct URL from the top of Step 3 in the Snyk web UI can now be used to verify the configuration works as intended by logging in as a user in the directory of the IdP.
When all stored details are verified to be accurate (name, e-mail, permissions), Snyk generally recommends existing users that previously were logged in through Social login methods be removed from the Snyk platform. This can be accomplished under the Group menu Members.
Last updated