SSO is a helpful security feature that lets customers control sign-in requirements and manage team member access to systems like the DeepSource Dashboard. With DeepSource, you can use SAML 2.0, a widely supported standard, to delegate the creation and authentication of team member accounts to an Identity Provider (IdP). This makes it easier to manage and secure user accounts within DeepSource.

📘

For DeepSource Enterprise Cloud or Server

DeepSource Enterprise Cloud or Server teams can setup SAML 2.0-based Single Sign-On (SSO) for authentication and SCIM for authorization.

Setup SAML SSO

Before you can connect an Identity Provider (IdP) to your DeepSource team, you need to first verify the ownership of your organization's email domain. This should be the domain name of your user's email addresses used for signing into DeepSource.

Request domain verification

1. Go to https://deepsource.com.
2. Select the team from the account switcher on the top-left.
3. Click on the Settings tab on the nav bar and then click on Security from the left side bar.
4. Under Domain name, enter the domain name you want to verify on DeepSource.

5. Click on Request Verification.

6. We will reach out to you by email for a manual verification.

7. Once the verified, you can go ahead with configuring an identity provider.

Configuration on Identity Provider

The following is a list of IdPs with links to their respective guides explaining the integration process:

1. Okta
2. OneLogin
3. Azure AD

While we only have official guides for the above providers, the overall process remains quite similar while integrating with any other popular IdP (such as Google, PingFederate, etc.) via a SAML 2.0 based connector.

Configuration on DeepSource

Once DeepSource has verified your domain and you have successfully created and tested a SAML 2.0 connector on the IdP website, you need to tell DeepSource about it.

1. On the same Team settings -> Security page, click on the Configure button.

2. Enter the XML Metadata URL (aka Issuer URL) that you got from the SAML connector in the IdP.

3. Click on Save changes.

4. Your IdP is successfully connected with your DeepSource team now. This means users assigned to the app on IdP will be able to sign up or sign in to DeepSource with SAML SSO now.

📘

If you have enabled SAML and not SCIM, then users are provisioned access to your team Just-In-Time i.e. when the user signs into DeepSource with SAML SSO using your team's configured IdP. They are given the MEMBER role if there are empty seats else CONTRIBUTOR role.

Setup SCIM Provisioning

SCIM, or System for Cross-domain Identity Management, is an open standard that allows for the automation of user provisioning.

With SCIM enabled for your DeepSource team, users will be provisioned, updated and deprovisioned in real-time with respect to changes on the IdP.

Configuration on DeepSource

Once you have setup SAML SSO, you can optionally enable SCIM provisioning as well.

1. Go to the same Team settings -> Security page.
2. Enable the toggle labeled "SCIM provisioning".

3. When you toggle it, a modal will pop up displaying the SCIM authentication token. You should copy the token and dismiss the modal.

4. Now SCIM is enabled for your DeepSource team. You may click on the "Regenerate" button at any time to reset the SCIM token.

5. You can go ahead with configuring and testing the SCIM connection on your identity provider. You can find the configuration steps in the "SCIM Provisioning" section for the identity provider chosen in the Configuration on Identity Provider section.