Okta - OIDC
This information only applies to organizations on the Pro and Enterprise plans.
Buf's SSO integration supports the following OIDC features:
- Service Provider (SP)- initiated SSO
- Just-in-Time (JIT) user provisioning
The steps below must be carried out by an Okta administrator for your organization.
Prerequisites
- Setup (Pro | Enterprise) needs to be complete. You need to know your private
BSR server domain (for example,
example.buf.dev
orbuf.example.com
) for the steps below.
Set up application
- Sign in to your Okta organization.
- Navigate to Applications > Applications and click Create App Integration.
- For Sign-in method, select OIDC - OpenID Connect.
- For Application type, select Web Application.
Configure OIDC
-
Under General Settings, give the integration an App name like "Buf Schema Registry" or "Buf". This should be something meaningful to your users.
-
Under Grant type, make sure to check Refresh Token.
-
Next, provide the callback URL. This will depend on the domain you provided.
- Sign-in redirect URIs will be
https://buf.example.com/oauth2/callback
- Sign-out redirect URIs will be
https://buf.example.com/logout
Support for logout will be available in an upcoming release, but we suggest configuring this now so it works seamlessly when enabled. If you require Application Single Logout, contact Support or your Buf representative.
Note that Buf provisions users Just-in-Time based on the email address.
- Sign-in redirect URIs will be
-
In the Assignments section, select which users or groups of users should have access to this Buf instance.
Update SSO configuration
To set up or update your BSR server's SSO configuration:
-
Go to the Settings page for your OIDC integration.
-
In another tab, go to the SSO Configuration page at
http://<BSR_SERVER>/<ORGANIZATION>/pro-settings
. -
From the SSO Provider dropdown, choose OIDC.
-
Copy and paste the client ID, client secret, and the issuer URL (the Okta domain from your OIDC settings) and enter an optional logout URL.
-
Click Update.
Configure Token Refresh
-
Go to the Settings page for your OIDC integration and click Edit.
-
Scroll down to the Refresh Token section.
-
Select Rotate token after every use and make sure the Grace period for token rotation is set to 15s. The important part is to make sure this value is not set to 0.
-
Click Save.
Next steps
- View the User lifecycle page to understand how users are provisioned.