This information only applies to organizations on the Pro and Enterprise plans.

Buf's SSO integration supports the following SAML features:

  • Identity Provider (IdP)-initiated SSO
  • Service Provider (SP)-initiated SSO
  • Just-in-Time (JIT) user provisioning

The steps below must be carried out by GitHub administrator for your organization. These instructions can be followed alongside the Creating a GitHub App guide.


  • Setup (Pro | Enterprise) needs to be complete. You need to know your private BSR server domain (for example, or for the steps below.

Create GitHub App

This GitHub App is only used for SSO and is separate from the Buf GitHub App used for CI/CD integration.

  1. Sign in to your GitHub organization at
  2. Click the New GitHub App button.

Configure GitHub App

Please only configure what is instructed here.

  • Set the GitHub App name to something like "Buf Schema Registry" or "Buf". This should be something meaningful to your users.

  • Set the Homepage URL to—this will vary depending on your installation.

  • Ensure that Expire user authorization tokens is selected.

  • Under Identifying and authorizing users, set the Callback URL to

    • Sign-in redirect URIs should be
    • Sign-out redirect URIs should be
  • Under Webhook make sure that Active is not selected.

  • Under User permissions ensure that Email addresses is set to Read-only, no other permissions are needed.

  1. Click Create GitHub App to create the app.

  2. Click Generate a new Client Secret

    Once you've created the GitHub App, contact Support or your Buf representative and let us know the values of the following:

    • Client ID
    • Client secret

github app configuration

Next steps

  • View the User lifecycle page to understand how users are provisioned.