This information only applies to organizations on the Pro and Enterprise plans.

Buf's SSO integration supports the following SAML features:

  • Identity Provider (IdP)- initiated SSO
  • Service Provider (SP)- initiated SSO
  • Just-in-Time (JIT) user provisioning

The steps below must be carried out by an Okta admininstrator for your organization.


  • Setup (Pro | Enterprise) needs to be complete. You need to know your private BSR server domain (for example, or for the steps below.

Set up application

  1. Sign in to your Okta organization.
  2. Navigate to Applications > Applications and click Create App Integration.
  3. For Sign-in method, select OIDC - OpenID Connect.
  4. For Application type, select Web Application.

Configure OIDC

  1. Under General Settings, give the integration an App name like "Buf Schema Registry" or "Buf". This should be something meaningful to your users.

  2. Under Grant type, make sure to check Refresh Token. okta saml configuration

  3. Next, provide the callback URL. This will depend on the domain you provided.

    • Sign-in redirect URIs will be
    • Sign-out redirect URIs will be

    Support for logout will be available in an upcoming release, but we suggest configuring this now so it works seamlessly when enabled. If you require Application Single Logout, contact Support or your Buf representative.

    okta saml configuration

    Note that Buf provisions users Just-in-Time based on the email address.

  4. In the Assignments section, select which users or groups of users should have access to this Buf instance.

Once you've created the Okta application, contact Support or your Buf representative and let us know the following items:

  1. Client ID
  2. Client secret
  3. Okta domain

okta saml configuration