This information only applies to organizations on the Pro and Enterprise plans.
Buf's SSO integration supports the following SAML features:
- Identity Provider (IdP)-initiated SSO
- Service Provider (SP)-initiated SSO
- Just-in-Time (JIT) user provisioning
The steps below must be carried out by GitHub administrator for your organization. These instructions can be followed alongside the Creating a GitHub App guide.
Prerequisites
- Setup (Pro | Enterprise) needs to be complete. You need to know your private
BSR server domain (for example,
example.buf.dev
orbuf.example.com
) for the steps below.
Create GitHub App
This GitHub App is only used for SSO and is separate from the Buf GitHub App used for CI/CD integration.
- Sign in to your GitHub organization at
https://github.com/organizations/YOUR_GITHUB_ORG/settings/apps
. - Click the New GitHub App button.
Configure GitHub App
Please only configure what is instructed here.
-
Set the GitHub App name to something like "Buf Schema Registry" or "Buf". This should be something meaningful to your users.
-
Set the Homepage URL to
https://buf.example.com
—this will vary depending on your installation. -
Ensure that Expire user authorization tokens is selected.
-
Under Identifying and authorizing users, set the Callback URL to
https://buf.example.com/oauth2/callback
- Sign-in redirect URIs should be
https://buf.example.com/oauth2/callback
- Sign-out redirect URIs should be
https://buf.example.com/logout
- Sign-in redirect URIs should be
-
Under Webhook make sure that Active is not selected.
-
Under User permissions ensure that Email addresses is set to Read-only, no other permissions are needed.
-
Click Create GitHub App to create the app.
-
Click Generate a new Client Secret
Once you've created the GitHub App, contact Support or your Buf representative and let us know the values of the following:
- Client ID
- Client secret
Next steps
- View the User lifecycle page to understand how users are provisioned.