Single Sign-On with Google Cloud Identity

Google Cloud Identity can be used as an SSO provider for your Buildkite organization. To complete this tutorial, you will need admin privileges for both Google Cloud Identity and Buildkite.

You can also set up SSO providers manually with GraphQL. See the SSO Setup with GraphQL Guide for detailed instructions and code samples.

Step 1. Create a Buildkite SSO Provider

Click the Buildkite Organization Settings' Single Sign On menu item, then choose the Custom SAML provider from the available options:

Screenshot of the Buildkite SSO Settings Page

Choose the 'Provide IdP Metadata Later' option when configuring your Custom SAML Provider:

On the following page, copy the ACS URL for use in Step 2.

Step 2. Add Buildkite in Google Cloud Identity

Log into your Google Admin Console, and follow these instructions:

  1. In the 'Apps Settings' area of the console, select 'SAML Apps'.
  2. Click the + button to open the Enable SSO for SAML Application modal.
  3. Choose 'Setup my own custom app'.
  4. Copy down the SSO URL and Entity ID, and download the Certificate. You'll need these in Step 2.
  5. Give your application a name, for example 'Buildkite'.
  6. Enter the following Service Provider Details:
  7. Attribute mapping can be added after the initial setup and testing. Click 'Finish' to complete the setup.

Step 3. Update your Buildkite SSO Provider

On your Buildkite Organization Settings' Single Sign On page, select your Custom SAML provider from the list of Configured SSO Providers.

Click the 'Edit Settings' button, choose the Manual data option, and enter the IdP data you saved in Step 2:

SAML 2.0 Endpoint (HTTP) The SSO URL you copied down during the previous step.
Issuer URL The Entity ID that you copied down during the previous step.
X.509 certificate The public key certificate generated for you by Google Cloud Identity that you downloaded during the previous step. You'll need the whole file, not just a link to the file.

Save your new settings and you'll be returned to your provider page.

Step 3. Perform a Test Login

Follow the instructions on the provider page to perform a test login. Performing a test login will verify that SSO is working correctly before you activate it for your organization members.

Step 4. Enable the new SSO Provider

Once you've performed a test login you can enable your provider using the Enable button. Activating SSO will not force a log out of existing users, but will cause all new or expired sessions to authorize through Cloud Identity before organization data can be accessed.

If you need to edit or update your Cloud Identity provider settings at any time, you will need to disable the provider first. For more information on disabling a provider, see the disabling SSO section of the SSO overview.