1. Snyk
  2. Setup & project management
  3. Setting up and managing SSO for authentication

Manage and configure single sign-on (SSO)

Follow

Articles in this section

Rachel Cheyfitz
  • Updated
Follow

Enterprise and Pro customers can take advantage of their existing identity management systems and have their employees sign in to Snyk using their corporate identity. This greatly eases the provisioning of users and allows for deeper integration for group and organization membership, role-based access, and more.

Snyk can integrate with any SAML-based SSO or ADFS. We can also set up SSO for you using your Enterprise Identity Provider, including Azure AD and Google G Suite. Read more about SAML in the Auth0 documentation. Read here for more information about SSO with ADFS.

Your Snyk representative configures the SSO for you based on your organization’s requirements: you can choose from one of these sign-on configurations for your Snyk groups:

  • Add all users automatically: add all users to all organizations within a specified group based on a single role that you ask to be assigned.

  • Add users by invitation: users are added to an organization either by receiving an invitation sent by an administrator. Administrators can add users manually as well.

  • Add users based on customized rules: pass us details about the Snyk organization(s) that each user should join in a SAML payload.

Note

When users sign in through SSO for the first time, a new account is created for them even if they had already manually created their own account previously. Contact us () for assistance cleaning up duplicates and things of that sort if you run into these kinds of issues.

Note

Multi-factor authentication (MFA) is functionality configured and managed by your identity provider. If you configure MFA, you should include Snyk in your list of whitelisted applications.

How it works

Snyk uses Auth0 to centralize authentication, authorization and accounting (AAA) and to enable integration withthe identity provider you use, as follows:

  1. Your Snyk representative configures SSO using the details you sent us.

  2. Your network administrator configures the environment designated for this connection.

  3. Once configured both from Snyk and from your company's network, a trust relationship is established between Snyk, Auth0 (on behalf of Snyk) and your network. Any sensitive data is encrypted and stored in Auth0 only for the purposes of enabling user logins.

  4. A user clicks the SSO button from snyk.io to log in.

  5. The user is redirected to the identity provider you requested.

  6. The user is authenticated by your identity provider.

  7. The identity provider communicates this authentication to our servers, sending the following data to Snyk in order to create each user:

    Parameter

    Description

    Sign-in URL

    The URL for your network login page.

    X509 Signing Certificate

    Your identity provider’s public key encoded in PEM or CER format.

    Sign-Out URL

    (optional, recommended)

    This is the URL for redirect whenever a user logs out of Snyk

    Protocol binding

    HTTP-POST is recommended

    HTTP-Redirect is also supported

    User ID attribute

    Optional

    Default is  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

    Whether or not an identity provider-initiated flow is supported

    Indicate this decision to your rep; we recommend implementing this flow

  8. Snyk looks for the user in our Auth0 directory: If this user is already configured in our system, Snyk enables access based on authorization configurations. If this is a new user, Snyk creates the user in Auth0 first, and then redirects to snyk.io, also based on authorization configurations.

Prepare for deployment

We recommend that you set up a Snyk environment as well as a Snyk test environment to configure, test, maintain and backup your SSO configuration.

  1. Configure these environments using the connection details for snyk.io as follows:

    Parameter

    Value

    Description

    Entity ID

    urn:auth0:snyk:saml-yourcompany

    urn:auth0:snyk-test:saml-yourcompany

    Get this from your Snyk representative.

    ACS URL

    https://snyk.auth0.com/login/callback?connection=saml-yourcompany

    https://snyk-test.auth0.com/login/callback?connection=saml-yourcompany

    The Assertion Consumer Service (ACS) is the endpoint on our network that listens for requests from your identity provider in order to enable communication between users on your network and Snyk.

    This URL is sometimes also called a Reply URL.

    Signing certificate

    https://snyk.auth0.com/pem

    https://snyk-test.auth0.com/pem

    This is our certificate, stored on your server in order to maintain the trust relationship, containing necessary encryption keys for authentication.

  2. Send us the following environment details for each of the environments you've configured, based on your AAA configuration:

    SSO protocol/identify provider

    Details Snyk needs

    Description

    SAML

    Sign-In URL

    X509 Signing Certificate

    Identity Provider public key encoded in PEM or CER format

    Sign-Out URL (optional, recommended)

    this is the URL for redirect whenever a user logs out of Snyk

    User ID attribute

    optional, default is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

    Protocol binding

    HTTP-POST is recommended, HTTP-Redirect is also supported

    Whether or not IdP-initiated flow is supported (recommended)

    ADFS

    Client ID

    Client secret

    Microsoft Azure AD Domain

    (numbers and letters):

    Navigate to the app you registered on your Azure portal : Azure portal -> App registrations -> Open the Snyk app that you created -> Overview → please send us the value of "Directory (tenant) ID"

  3. (Optional) Set up a user for testing and send us the credentials.

Add users to your SSO setup

Add all users automatically

Add all of your users to all organizations within a specified group. If selecting this option, let us know the role (administrator or collaborator) you would like users to be added as. When they each sign in through your SSO for the first time, users are added to that default organization automatically.

  • Send the default role (collaborator or administrator) and default organization details to your Snyk representative.

Add users by invitation

With this setup, users are added to an organization either by receiving an invitation that has been sent by an administrator or by the administrator adding the user to an organization after they have signed in for the first time.

When the user signs in to Snyk for the first time without receiving an invitation, they can view the list of existing organizations and the email addresses of the administrators who they can contact to request access, but they can’t access any other details until manually added by the administrator.

To add users by invitation, no related details need to be sent. You can automate this process using our API endpoint. For more information see our API docs.

Add users with customized rules

You can configure SSO differently for each of your different Snyk groups. As well as having access to your company’s Snyk organizations, you can also allow them to have access to a personal organization that they can use for their personal projects. By default, we disable this feature.

To customize assignment rules, pass us details about the role that the user should be assigned; Snyk can also map the user to an organization or group if you include an attribute with the relevant names and details.

The SAML payload can also use arrays to define these assignments.

To add user details through your SAML, update us with your payload naming convention:

To customize user assignments based on your company’s needs, send a SAML payload with all of the necessary details. This section describes:

  • The SAML format

  • Additional guidelines

Employ this format when creating the payload:

{
name: “LASTNAME Firstname”,
email: “username@yourcompany.com”,
roles: [“groupname-orgname-rolename”]
}

For example:

{
name: “CHEYFITZ Rachel”,
email: “rachel@snyk.io”,
roles: [“snykgroup1-scrum1-collaborator”]
}

SAML payload guidelines:

  1. You can define the SAML naming convention: ensure it includes mapping to a Snyk organization, as well as the user role. Inform your Snyk representative of the format and the SAML attribute name.

  2. Ensure you expose the email attribute in the payload to provide the user access to both the Snyk platform and our support website.

  3. To indicate specific groups, send us the Group ID, which you can find in the Settings area of your account and also in the slug of the URL, similar to this image:

    i_get_groupID.png

  4. To specify an organization, send us the organization slug that appears in the URL for each organization in the Snyk interface. This may differ from the display name for the organization, as demonstrated in this image:

    i_getOrgID.png

  5. To assign roles, indicate one of these user roles:

    • collaborator

    • administrator

Comments

0 comments

Article is closed for comments.