This information only applies to organizations on the Pro and Enterprise plans.

Buf's SSO integration supports the following SAML features:

• Identity Provider (IdP)- initiated SSO
• Service Provider (SP)- initiated SSO
• Just-in-Time (JIT) user provisioning

The steps below must be carried out by a Google Workspace admininstrator for your organization.

Prerequisites

• Setup (Pro | Enterprise) needs to be complete. You need to know your private BSR server domain (for example, example.buf.dev or buf.example.com) for the steps below.

Add SAML app to Google Admin

1. Sign in to the Google Admin console for your organization.
2. In the sidebar menu, click Apps (1) > Web and mobile apps (2).
3. Click Add app (3) > Add custom SAML app (4).

1. On the following screen, name the custom SAML app something like "Buf Schema Registry" or "Buf". This should be something meaningful to your users. Also add a description and icon if you prefer.
2. Click Continue.

Set up Google Identity Provider details

There are two options for you to choose:

• Option 1: Download IdP metadata
• Option 2: Copy the SSO URL, entity ID, and certificate

1. Click the DOWNLOAD METADATA button. This will download a file to your computer, usually called GoogleIDPMetadata.xml.

2. Provide this XML file to Support or your Buf representative.

3. Click Continue.

Add service provider details

1. In the Service provider details screen, enter:

   • ACS URL: https://buf.example.com/saml/acs
   • Entity ID: https://buf.example.com (Make sure to remove the trailing slash that is added by the form)
   • Name ID format: EMAIL
   • Name ID: Basic Information > Primary email

   Buf provisions users Just-in-Time based on the email address—make sure you've configured the Name ID correctly.

2. Click Continue.

3. On the Attribute mapping screen, leave the attributes section empty and click Finish.

Enable user access

Once you've finished configuring the SAML app, enable it for your users. It is OFF for everyone by default.