SAML SSO & SCIM: OneLogin

This document explains the process to enable SAML SSO and SCIM on DeepSource using OneLogin as the Identity Provider (IdP).

📘

Requires Enterprise Plans

Enabling SAML SSO and SCIM requires the team to be on Enterprise Cloud or Server plans. Please reachout to your account manager (or) [email protected] for a demo.

SAML SSO

Configuring SAML SSO on OneLogin

For now, an admin (on OneLogin) needs to create a custom SAML connector for DeepSource Enterprise. The steps for which are as given:

  1. On the top menu, go to Applications → Applications, and click on "Add App".
  2. Search for and choose “SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML)”.
  3. Fill in the following details and click “Save”:

FieldValue
Display NameDeepSource Enterprise Server
  1. Navigate to the “Configuration” tab using the sidebar on the left.
  2. Assuming that DeepSource is hosted onhttps://deepsource.foobar.com, fill in the following details accordingly leaving the rest of the fields with defaults and click “Save”:

FieldValue
SAML Audience URLhttps://deepsource.foobar.com/saml2/metadata/
SAML Audience URLhttps://deepsource.foobar.com/saml2/acs/
ACS (Consumer) URL Validatorhttps://deepsource.foobar.com/saml2/acs/
ACS (Consumer) URLhttps://deepsource.foobar.com/saml2/acs/
SAML signature elementBoth (from dropdown)
  1. Navigate to the “SSO” using the sidebar on the left.
  2. Change the “SAML Signature Algorithm” field to use a stronger algorithm such as “SHA-512” (from dropdown) and click on “Save”.
  3. On the same screen, copy the “Issuer URL”. It should be in the format https://app.onelogin.com/saml/metadata/<app-uuid>.

🚧

For Enterprise Cloud users

  • In step 3, name of the app should be changed to DeepSource Enterprise Cloud.
  • In step 5, DeepSource's URL should be changed to https://app.deepsource.com.

Configuring SAML SSO on DeepSource

For Enterprise Cloud

Refer to Setup SAML SSO -> Configuration on DeepSource.

For Enterprise Server

Once OneLogin has been configured, navigate to “Config” tab in the Admin panel (replicated Kotsadm):

  1. Check "Yes" for "Enable SAML SSO".
  2. Enter the URL copied in Step 10 above for "IdP metadata URL".

  1. One last piece of configuration is whether you want to enable social authentication (i.e. allowing users to be created/log in with GitHub) alongside SAML. In this case, users will be allowed to either sign in via SSO or via OAuth. Choose accordingly.
  2. Click save, and deploy the new version.

🎉

You should now be able to Sign in to DeepSource Enterprise with SAML SSO.

SCIM Provisioning

Configuring SCIM on DeepSource

For Enterprise Cloud

Refer to Setup SCIM Provisioning -> Configuration on DeepSource.

For Enterprise Server

Navigate to “Config” tab in the Admin panel (replicated Kotsadm):

  1. Check "Yes" for "Enable SCIM provisioning".
  2. Enter a strong secret of your choice in "SCIM Authentication token". Keep this token saved somewhere, you will need to enter this on OneLogin in the next step.
  3. Click save, and deploy the new version.

Configuring SCIM on OneLogin

  1. To Enable SCIM Provisioning, go to your "DeepSource Enterprise Server" application on OneLogin.
  2. Go to the Configuration tab, under API Connection, click on Enable and configure the given parameters.
FieldValue
SCIM Base URLhttps://deepsource.foobar.com/scim/v2 (no trailing slash)
SCIM Bearer TokenSCIM Authentication token which you have put in Admin Panel in the previous step
  1. Click on Save to apply the settings.
  2. Go to the Provisioning tab, and configure the given parameters.

FieldValue
Enable provisioning
Create user
Delete user
Update user
  1. Click on Save to apply the settings

🚧

For Enterprise Cloud users

In step 2, the following values should be used instead:

FieldValues
SCIM Base URLhttps://app.deepsource.com/scim/v2 (no trailing slash)
SCIM Bearer TokenSCIM Authentication token generated from DeepSource

🎉

You have successfully configured SCIM provisioning for your DeepSource Enterprise via OneLogin.