Single Sign-On with Okta

To add Okta as an SSO provider for your Buildkite organization, you need admin privileges for both Okta and Buildkite.

Setting up SSO with SAML

To set up Single Sign-On, follow the SAML configuration guide.

Using SCIM to provision and manage users

Enterprise customers can optionally enable automatic deprovisioning for their Buildkite users.

Supported SCIM Features

  • Create Users
  • Deactivate Users (Deprovisioning)

You will not be billed for users that you add to your Okta Buildkite app until they have signed in to your Buildkite organization.

Configuration instructions

Using the SCIM provisioning settings in Okta, Enterprise customers can automatically remove user accounts from your Buildkite organization. In Okta this feature is called 'Deactivating' a user. You need an enabled Okta SSO Provider before you can set up SCIM.

After creating your SSO Provider in Buildkite, you will need the Base URL and API Token from your Okta SSO Provider Settings:

Screenshot of the Buildkite Okta Settings SCIM Deprovisioning section

Go to your Buildkite application in Okta to set up deprovisioning:

  1. On the Sign On tab in the Okta Buildkite application, edit the Credential Details settings, select Email for the Application username format and press Save
  2. On the Provisioning tab, select Integration from the left side menu
  3. Click Configure API Integration
  4. Tick Enable API integration and enter the URL and API token copied from your Buildkite SSO Provider settings
  5. Click Test API Credentials and then Save once successfully verified
  6. Select To App from the left side menu
  7. Edit the Provisioning to App settings, and enable Create Users and Deactivate Users
  8. Save and test your settings

Provisioning Existing Users

Existing Okta users aren't automatically provisioned in Buildkite; you'll need to sync your users in order to deprovision them.

This can be done one of two ways:

  1. Using the Provision User function on the Assignments tab of the Okta Buildkite app (if it's available), or
  2. By removing and re-assigning the users and groups to the Okta Buildkite app.