Enterprise and Pro customers can take advantage of their existing identity management systems and have their employees sign in to Snyk using their corporate identity. This greatly eases the provisioning of users and allows for deeper integration for group and organization membership, role-based access, and more.
Snyk can integrate with any SAML-based SSO or ADFS. We can also set up SSO for you using your Enterprise Identity Provider, including Azure AD and Google G Suite. Read more about SAML in the Auth0 documentation. Read here for more information about SSO with ADFS.
Your Snyk representative configures the SSO for you based on your organization’s requirements: you can choose from one of these sign-on configurations for your Snyk groups:
Add all users automatically: add all users to all organizations within a specified group based on a single role that you ask to be assigned.
Add users by invitation: users are added to an organization either by receiving an invitation sent by an administrator. Administrators can add users manually as well.
Add users based on customized rules: pass us details about the Snyk organization(s) that each user should join in a SAML payload.
Note
When users sign in through SSO for the first time, a new account is created for them even if they had already manually created their own account previously. Contact us (<support@snyk.io>
) for assistance cleaning up duplicates and things of that sort if you run into these kinds of issues.
Note
Multi-factor authentication (MFA) is functionality configured and managed by your identity provider. If you configure MFA, you should include Snyk in your list of whitelisted applications.
Snyk uses Auth0 to centralize authentication, authorization and accounting (AAA) and to enable integration withthe identity provider you use, as follows:
Your Snyk representative configures SSO using the details you sent us.
Your network administrator configures the environment designated for this connection.
Once configured both from Snyk and from your company's network, a trust relationship is established between Snyk, Auth0 (on behalf of Snyk) and your network. Any sensitive data is encrypted and stored in Auth0 only for the purposes of enabling user logins.
A user clicks the SSO button from snyk.io to log in.
The user is redirected to the identity provider you requested.
The user is authenticated by your identity provider.
-
The identity provider communicates this authentication to our servers, sending the following data to Snyk in order to create each user:
Parameter
Description
Sign-in URL
The URL for your network login page.
X509 Signing Certificate
Your identity provider’s public key encoded in PEM or CER format.
Sign-Out URL
(optional, recommended)
This is the URL for redirect whenever a user logs out of Snyk
Protocol binding
HTTP-POST is recommended
HTTP-Redirect is also supported
User ID attribute
Optional
Default is
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Whether or not an identity provider-initiated flow is supported
Indicate this decision to your rep; we recommend implementing this flow
Snyk looks for the user in our Auth0 directory: If this user is already configured in our system, Snyk enables access based on authorization configurations. If this is a new user, Snyk creates the user in Auth0 first, and then redirects to snyk.io, also based on authorization configurations.
We recommend that you set up a Snyk environment as well as a Snyk test environment to configure, test, maintain and backup your SSO configuration.
-
Configure these environments using the connection details for snyk.io as follows:
Parameter
Value
Description
Entity ID
urn:auth0:snyk:saml-yourcompany
urn:auth0:snyk-test:saml-yourcompany
Get this from your Snyk representative.
ACS URL
https://snyk.auth0.com/login/callback?connection=saml-yourcompany
https://snyk-test.auth0.com/login/callback?connection=saml-yourcompany
The Assertion Consumer Service (ACS) is the endpoint on our network that listens for requests from your identity provider in order to enable communication between users on your network and Snyk.
This URL is sometimes also called a Reply URL.
Signing certificate
This is our certificate, stored on your server in order to maintain the trust relationship, containing necessary encryption keys for authentication.
-
Send us the following environment details for each of the environments you've configured, based on your AAA configuration:
SSO protocol/identify provider
Details Snyk needs
Description
SAML
Sign-In URL
X509 Signing Certificate
Identity Provider public key encoded in PEM or CER format
Sign-Out URL (optional, recommended)
this is the URL for redirect whenever a user logs out of Snyk
User ID attribute
optional, default is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Protocol binding
HTTP-POST is recommended, HTTP-Redirect is also supported
Whether or not IdP-initiated flow is supported (recommended)
ADFS
Client ID
Client secret
Microsoft Azure AD Domain
(numbers and letters):
Navigate to the app you registered on your Azure portal : Azure portal -> App registrations -> Open the Snyk app that you created -> Overview → please send us the value of "Directory (tenant) ID"
(Optional) Set up a user for testing and send us the credentials.
Add all of your users to all organizations within a specified group. If selecting this option, let us know the role (administrator or collaborator) you would like users to be added as. When they each sign in through your SSO for the first time, users are added to that default organization automatically.
Send the default role (collaborator or administrator) and default organization details to your Snyk representative.
With this setup, users are added to an organization either by receiving an invitation that has been sent by an administrator or by the administrator adding the user to an organization after they have signed in for the first time.
When the user signs in to Snyk for the first time without receiving an invitation, they can view the list of existing organizations and the email addresses of the administrators who they can contact to request access, but they can’t access any other details until manually added by the administrator.
To add users by invitation, no related details need to be sent. You can automate this process using our API endpoint. For more information see our API docs.
You can configure SSO differently for each of your different Snyk groups. As well as having access to your company’s Snyk organizations, you can also allow them to have access to a personal organization that they can use for their personal projects. By default, we disable this feature.
To customize assignment rules, pass us details about the role that the user should be assigned; Snyk can also map the user to an organization or group if you include an attribute with the relevant names and details.
The SAML payload can also use arrays to define these assignments.
To add user details through your SAML, update us with your payload naming convention:
To customize user assignments based on your company’s needs, send a SAML payload with all of the necessary details. This section describes:
The SAML format
Additional guidelines
Employ this format when creating the payload:
{ name: “LASTNAME Firstname”, email: “username@yourcompany.com”, roles: [“groupname-orgname-rolename”] }
For example:
{ name: “CHEYFITZ Rachel”, email: “rachel@snyk.io”, roles: [“snykgroup1-scrum1-collaborator”] }
SAML payload guidelines:
You can define the SAML naming convention: ensure it includes mapping to a Snyk organization, as well as the user role. Inform your Snyk representative of the format and the SAML attribute name.
Ensure you expose the email attribute in the payload to provide the user access to both the Snyk platform and our support website.
-
To indicate specific groups, send us the Group ID, which you can find in the Settings area of your account and also in the slug of the URL, similar to this image:
-
To specify an organization, send us the organization slug that appears in the URL for each organization in the Snyk interface. This may differ from the display name for the organization, as demonstrated in this image:
-
To assign roles, indicate one of these user roles:
collaborator
administrator