Security Assertion Markup Language (SAML) is a common web protocol used pass authorized credentials between two web applications, a service provider (SP, Sourcegraph in this instance), and an Identity Provider (IdP). This communication is conducted via XML assertions.
Select your SAML identity provider for setup instructions:
- Okta
- Azure Active Directory (Azure AD)
- Microsoft Active Directory Federation Services (ADFS)
- Auth0
- OneLogin
- Ping Identity
- Salesforce Identity
- JumpCloud
- Other
For advanced SAML configuration options, see the saml
auth provider documentation.
NOTE: Sourcegraph currently supports at most 1 SAML auth provider at a time (but you can configure additional auth providers of other types). This should not be an issue for 99% of customers.
In Sourcegraph site config, ensure
is set to a value consistent with the URL you used in the previous section in the identity provider configuration.NOTE: Make sure to use the exact same scheme (
), and there should be no trailing slash. -
Add an item to
"saml" and eitheridentityProviderMetadataURL
set. The former is preferred, but not all identity providers support it (it is sometimes called "App Federation Metadata URL" or just "SAML metadata URL").WARNING: There can only be at most 1 element of type
. Otherwise behavior is undefined. If you have another SAML auth provider configured, remove it fromauth.providers
before proceeding.
Here are some examples of what your site config might look like:
Example 1:
{ // ... "externalURL": "", "auth.providers": [ { "type": "saml", "configID": "generic", "identityProviderMetadataURL": "" } ] }
Example 2:
{ // ... "externalURL": "", "auth.providers": [ { "type": "saml", "configID": "generic", // This is a long XML string you download from your identity provider. // You can escape it to a JSON string using a tool like // "identityProviderMetadata": "<?xml version=\"1.0\" encoding=\"utf-8\"?><EntityDescriptor ID=\"_86c6d3fd-e0a9-4b99-b830-40b248003fb9\" entityID=\"\" xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\"><Signature xmlns=\"\"><SignedInfo><CanonicalizationMethod Algorithm=\"\" /><SignatureMethod Algorithm=\"\" /><Reference URI=\"#_86c6d3fd-e0a9-4b99-b830-40b248003fb9\"><Transforms><Transform Algorithm=\"\" /><Transform Algorithm=\"\" /></Transforms><DigestMethod Algorithm=\"\" /><DigestValue> ..." } ] }
Then, confirm there are no error messages in:
- Docker Compose and Kubernetes: the
deployment logs - Single-container: the
container logs
The most likely error message indicating a problem is Error prefetching SAML service provider metadata
. See SAML troubleshooting for more tips.
Security Assertion Markup Language (SAML) is a common web protocol used pass authorized credentials between two web applications, a service provider (SP, Sourcegraph in this instance), and an Identity Provider (IdP, see our list of IdP's above). This communication is conducted via XML assertions.
to log all SAML requests and responses on:
- Docker Compose and Kubernetes: the
deployment - Single-container: the
When debugging a problem with SAML its often helpful to use your browsers developer tools to directly observer the XML assertions and their contents. Below are some general pointers on how to collect SAML communications:
- Naviagate in your browser to Sourcegraph, prepare to attempt a login via SAML in Sourcegraph
- Open your developer tools and navigate to the Network tab. Check to see if theres an option to preserve logs, if so enable it.
- Clear the collection of network logs in the your devTool network tab and attempt a saml login
- Look for a network request in the network tab that indicates a SAML request response communication. (This might be labeled ACS, or Authn), select the network request and observe its headers. You should see something like the image below from a Sourcegraph Okta login, observed via Safari devTools (don't worry this example has no sensative info)
In a real network response you will often find that the header info in the network tab has a
field containing XML that has been encoded, and/or encrypted, there are a variety of ways to decompress and decrypt XML. For an easy to use tools we recommend, which provides a user friendly UI to accomplish these tasks.
If you're not sure why your SAML isn't working and you've collected the network request and response from your login attempts please feel free to reach out to our support team at [email protected], please redacted any secret keys that may be contained in your site configuration or SAML assertions before sharing with us at Sourcegraph.