Single Sign-On Support

You can use a Single Sign-On (SSO) provider to protect access to your organization’s data in Buildkite. Buildkite supports many different SSO providers, and you can configure multiple SSO providers for a single Buildkite organization.

Supported providers

Buildkite supports the following SSO providers:

Adding SSO

Many of the SSO providers can be configured by an organization admin using Organisation Settings → SSO Settings:

Screenshot of the Buildkite SSO Settings Page

You can also configure SSO manually using the GraphQL API.

Once configured, all access to organization data requires signing into your SSO provider:

Screenshot of the SSO protecting access to data

Disabling and Removing SSO

If you need to edit your SSO settings, temporarily stop logins using SSO, or want to delete your SSO provider, you'll first need to disable it.

There are two ways to disable a provider:

  1. Using the 'Disable' button in your SSO provider Settings, or
  2. Using the GraphQL API

If you have disabled all your SSO providers, users will be required to log in using a username and password. If users don't have a password, and need access while SSO is disabled, they can perform a 'Forgotten Password' reset.

Frequently asked questions

Can some people in the organization use SSO and others not?

Yes, team maintainers can select whether a user is 'required' to use SSO or whether it is 'optional'. This setting can be found in the team settings.

Do you support JIT provisioning?

Yes, we do.

What happens if a person leaves our company?

You will need to manually remove them from your Buildkite organization. This will not affect access to the user's personal account or any other organizations they are a member of.

Can we enable SSO on multiple domains for one organization?

Yes, by adding multiple SSO providers. You can enable as many different identity providers for your organization as you need.

Will enabling SSO disrupt my team?

No, SSO must be verified before being enabled, and can easily be disabled by you if required. Once enabled, users will see a new "SSO" badge on the organization and will be required to authorise with your SSO provider to access organization data.

Will enabling SSO affect builds, agents or pipelines?

No, all of your builds, agents, and pipelines will continue to run as normal.

Does enabling SSO affect billing?

No, enabling SSO will not affect how much you are billed. However, whenever a new user signs in to Buildkite using SSO, they will be added to your organization as if you had invited them.

Can I sync my identity provider's groups with my Buildkite teams?

Yes, if you are able to associate your provider's groups with your Buildkite team UUIDs, you can adjust the SAML assertion to send 'teams' as an additional SAML User Attribute.