Configuring SAML with One Login
1. Create a SAML app in OneLogin
- Go to https://mycompany.onelogin.com/apps/find (replace "mycompany" with your company's OneLogin ID).
- Select "SAML Test Connector (SP)" and click "Save".
- Under the "Configuration" tab, set the following properties (replacing
https://sourcegraph.example.com
with your Sourcegraph URL):Audience
: https://sourcegraph.example.com/.auth/saml/metadataRecipient
: https://sourcegraph.example.com/.auth/saml/acsACS (Consumer) URL Validator
: https://sourcegraph\\.example\\.com\\/\\.auth\\/saml\\/acs
(This is regular expression that matches the URLhttps://sourcegraph.example.com/.auth/saml/acs
)ACS (Consumer) URL
: https://sourcegraph.example.com/.auth/saml/acs
- Under the "Parameters" tab, ensure the following parameters exist:
- Email (NameID): Email
- DisplayName: First Name Include in SAML Assertion: ✓
- login: AD user name Include in SAML Assertion: ✓
- Save the app in OneLogin.
- Find the Issuer URL in the OneLogin app configuration page, under the "SSO" tab, under "Issuer
URL". It should look something like
https://mycompany.onelogin.com/saml/metadata/123456
orhttps://app.onelogin.com/saml/metadata/123456
. Record this for the next section.
2. Add the SAMl auth provider to Sourcegraph site config
- In Sourcegraph site config, ensure
externalURL
is set the same Sourcegraph URL you used in the previous section (i.e., what you replacedhttps://sourcegraph.example.com
with). Be mindful to use the exact same scheme (http
orhttps
), and there should be no trailing slash. - Add an item to
auth.providers
withtype
"saml" andidentityProviderMetadataURL
set to the Issuer URL recorded from the previous section. Here is an example:
{ // ... "externalURL": "https://sourcegraph.example.com", "auth.providers": [ { "type": "saml", "identityProviderMetadataURL": "<issuer URL>" } ] }
Confirm there are no error messages in the sourcegraph/server
Docker container logs (or the
sourcegraph-frontend
pod logs, if Sourcegraph is deployed to a Kubernetes cluster). The most
likely error message indicating a problem is Error prefetching SAML service provider metadata
. See
SAML troubleshooting for more tips.