SAML SSO & SCIM: Okta

This document explains the process to enable SAML SSO and SCIM on DeepSource using Okta as the Identity Provider (IdP).

📘

Requires Enterprise Plans

Enabling SAML SSO and SCIM requires the team to be on Enterprise Cloud or Server plans. Please reachout to your account manager (or) [email protected] for a demo.

This section explains the process to enable SAML SSO and SCIM on DeepSource Enterprise Server using Okta as the Identity Provider (IdP).

SAML SSO

Configuring SAML SSO on Okta

For now, an admin (on Okta) needs to create a custom SAML integration for DeepSource Enterprise. The steps for which are as given:

  1. On the left sidebar, choose "Applications" → "Applications", and click on "Create App Integration".
  2. Choose "SAML 2.0" and click "Next".
  1. Fill in the following details:
FieldValue
App NameDeepSource
  1. Assuming that DeepSource is hosted on-premise at https://deepsource.foobar.com, fill in the following details accordingly:

🚧

Note for Enterprise Cloud Users

If you're on DeepSource Enterprise Cloud, replace https://deepsource.foobar.com with https://app.deepsource.com

FieldValues
Single sign on URLhttps://deepsource.foobar.com/saml2/acs/
Audience URI (SP Entity ID)https://deepsource.foobar.com/saml2/metadata/
Name ID formatEmailAddress (choose from drop down)
Application usernameEmail (choose from drop down
  1. In "Attribute Statements", add the following:
FieldName formatValue
first_nameBasicuser.firstName
last_nameBasicuser.lastName
  1. Under Feedback selection, choose:
    1. For "Are you a customer or partner?", choose "I am an Okta customer, adding an internal app".
    2. App type: check the box — This is an internal app that we have created. Otherwise, Okta will ask for many other fields. Click on "Finish".
  2. On the next screen, go to the “SAML Signing Certificates” section. Copy the link for "Identity Provider Metadata" by clicking on Actions -> View IdP metadata for the “SHA-2 Type” certificate. It should be in the format: https://<customer>.okta.com/app/<app-slug>/sso/saml/metadata.

Configuring SAML SSO on DeepSource

For Enterprise Cloud

Refer to Setup SAML SSO -> Configuration on DeepSource.

For Enterprise Server

Once SAML has been configured on Azure AD, navigate to “Config” tab in the Kotsadm admin panel:

  1. Check "Yes" for "Enable SAML SSO".

  2. Enter the URL copied in Step 7 above for "IdP metadata URL".

  3. One last piece of configuration is whether you want to enable social authentication (i.e. allowing users to be created/log in with GitHub) alongside SAML. In this case, users will be allowed to either sign in via SSO or via OAuth. Choose accordingly.

  4. Click save, and deploy the new version. You should now be able to Sign in to DeepSource Enterprise with SAML SSO.

SCIM Provisioning

Configuring SCIM on DeepSource

For Enterprise Cloud

Refer to Setup SCIM Provisioning -> Configuration on DeepSource.

For Enterprise Server

Navigate to “Config” tab in the Admin panel (replicated Kotsadm):

  1. Check "Yes" for "Enable SCIM provisioning".
  2. Enter a strong secret of your choice in "SCIM Authentication token". Keep this token saved somewhere, you will need to enter this in Okta while setting up SCIM provisioning
  3. Click save, and deploy the new version.

Configuring SCIM on Okta

  1. To Enable SCIM Provisioning, select DeepSource application, then go to General → App Settings → Edit and turn on Enable SCIM provisioning.

  2. Click on the Provisioning tab, under SCIM Connection, click on Edit and configure the given parameters.

    FieldValues
    SCIM connector base URLhttps://deepsource.foobar.com/scim/v2/
    Unique identifier field for usersemail
    Supported provisioning actionsPush New Users, Push Profile Updates, Push Groups
    Authentication ModeHTTP Header
    Authorization bearer tokenSCIM Authentication token which you have put in replicated console (kotsadm)

🚧

Note for Enterprise Cloud

If you're on DeepSource Enterprise Cloud, use the following values instead of the values defined above.

FieldValues
SCIM connector base URLhttps://app.deepsource.com/scim/v2/
Unique identifier field for usersemail
Supported provisioning actionsImport New Users and Profile Updates, Push New Users, Push Profile Updates
Authentication ModeHTTP Header
Authorization bearer tokenSCIM Authentication token generated from DeepSource
  1. Click on Test Connector Configuration to verify SCIM connection.

  2. Click on Save to apply the settings.

  3. After the integration is saved successfully, go to To App option on the left sidebar under Settings inside Provisioning.

  4. Enable the following options:

    • Create Users
    • Update User Attributes
    • Deactivate Users

    and, click on Save.

You have successfully configured SCIM provisioning on your DeepSource Enterprise Server with Okta. :confetti-ball: