Google - SAML

This feature is only available on the Pro and Enterprise plans.

Buf's SSO integration supports the following SAML features:

The steps below must be carried out by a Google Workspace administrator for your organization.

Prerequisites

Setup (Pro | Enterprise) needs to be complete.
You need to know your private BSR instance's domain name (for example, example.buf.dev or buf.example.com) for the steps below.

On the following screen, name the custom SAML app something like "Buf Schema Registry" or "Buf". This should be something meaningful to your users. Also add a description and icon if you prefer.
Click Continue.

Click the DOWNLOAD METADATA button. This downloads a file to your computer, usually called GoogleIDPMetadata.xml, which you'll need later in the setup process.
Click Continue.

In the Service provider details screen, enter:
- ACS URL: https://buf.example.com/saml/acs
- Entity ID: https://buf.example.com (Make sure to remove the trailing slash that's added by the form)
- Name ID format: EMAIL
- Name ID: Basic Information > Primary email
Buf provisions users Just-in-Time based on the email address—make sure you've configured the Name ID correctly.
Click Continue.
On the Attribute mapping screen, leave the attributes section empty and click Finish.

Once you've finished configuring the SAML app, enable it for your users. It's OFF for everyone by default.

To set up or update your BSR instance's SSO configuration:

Go to the SSO Configuration page at http://<BSR_SERVER>/<ORGANIZATION>/pro-settings.
From the SSO Provider dropdown, choose SAML.
Click the Use IdP raw metadata instead link.
Copy and paste the contents of the IdP metadata XML file you downloaded earlier into the IdP Raw Metadata text box.
Click Update.