This information only applies to organizations on the Pro and Enterprise plans.

Buf's SSO integration supports the following SAML features:

  • Identity Provider (IdP)-initiated SSO
  • Service Provider (SP)-initiated SSO
  • Just-in-Time (JIT) user provisioning
  • SCIM 2.0 user and group provisioning

The steps below must be carried out by an Okta admininstrator for your organization.


  • Setup (Pro | Enterprise) needs to be complete. You need to know your private BSR server domain (for example, or for the steps below.

Set up application

  1. Sign in to your Okta organization.
  2. Navigate to Applications > Applications and click Create App Integration.
  3. For Sign-in method, select SAML 2.0 and click Next.
  4. Under General Settings, give the integration an App name like "Buf Schema Registry" or "Buf". This should be something meaningful to your users.

Configure SAML

  1. Set Single sign on URL to
  2. Set Audience URI (SP Entity ID) to
  3. For Name ID format and Application username, select EmailAddress and Email, respectively.

Buf provisions users Just-in-Time based on the email address—make sure you've configured the Name ID correctly.

okta saml configuration

We recommend keeping the Okta defaults under Advanced Settings. However, if your organization has additional requirements, such as Single Logout (SLO) or adding Assertion Encryption, contact Support or your Buf representative.

Metadata URL

Buf supports fetching dynamic configuration directly from the publicly hosted Okta Metadata URL.

  1. Navigate to the Buf application.
  2. Click the Sign On tab and look for Identity Provider Metadata. This is a public URL Okta provides for you to share with your Service Provider.
  3. Copy the Metadata URL and send it to Support or your Buf representative.

okta saml configuration