This information only applies to organizations on the Pro and Enterprise plans.
Buf's SSO integration supports the following SAML features:
- Identity Provider (IdP)-initiated SSO
- Service Provider (SP)-initiated SSO
- Just-in-Time (JIT) user provisioning
The steps below must be carried out by GitHub administrator for your organization. These instructions can be followed alongside the Creating a GitHub App guide.
Prerequisites
- Setup (Pro | Enterprise) needs to be complete. You need to know your private
BSR server domain (for example,
example.buf.devorbuf.example.com) for the steps below.
Create GitHub App
This GitHub App is only used for SSO and is separate from the Buf GitHub App used for CI/CD integration.
- Sign in to your GitHub organization at
https://github.com/organizations/YOUR_GITHUB_ORG/settings/apps. - Click the New GitHub App button.
Configure GitHub App
Please only configure what is instructed here.
-
Set the GitHub App name to something like "Buf Schema Registry" or "Buf". This should be something meaningful to your users.
-
Set the Homepage URL to
https://buf.example.com—this will vary depending on your installation. -
Ensure that Expire user authorization tokens is selected.
-
Under Identifying and authorizing users, set the Callback URL to
https://buf.example.com/oauth2/callback- Sign-in redirect URIs should be
https://buf.example.com/oauth2/callback - Sign-out redirect URIs should be
https://buf.example.com/logout
- Sign-in redirect URIs should be
-
Under Webhook make sure that Active is not selected.
-
Under User permissions ensure that Email addresses is set to Read-only, no other permissions are needed.
-
Click Create GitHub App to create the app.
-
Click Generate a new Client Secret
Once you've created the GitHub App, contact Support or your Buf representative and let us know the values of the following:
- Client ID
- Client secret
Next steps
- View the User lifecycle page to understand how users are provisioned.