Single sign-on with Google Workspace
Google Workspace (previously G Suite and Google Apps) can be used as an SSO provider for your Buildkite organization. To complete this tutorial, you will need admin privileges for Buildkite.
Step 1. Create an SSO provider
In your Buildkite organization Settings' Single Sign On menu item, choose the Google G Suite provider:
You can also set up SSO providers manually with GraphQL.
See the SSO Setup with GraphQL Guide for detailed instructions and code samples.
Step 2. Perform a test login
Follow the instructions to perform a test login. Performing a test login will verify that SSO is working correctly before you activate it for your organization members.
Step 3. Enable the new SSO provider
Once you've performed a test login you can enable your provider. Activating SSO will not force a log out of existing users, but will cause all new or expired sessions to authorize through G Suite before organization data can be accessed.
If you need to edit or update your G Suite provider settings at any time, you will need to disable the provider first. For more information on disabling a provider, see the disabling SSO section of the SSO overview.
SAML user attributes
Buildkite accepts a subset of the SAML attributes from identity providers. The accepted attributes are:
Attribute | Description |
---|---|
admin
|
A boolean value that describes whether the user should be provisioned with admin permissions Example: true |
email
|
A string of the user's email address Example: "person@company.com" |
name
|
A string of the user's full name Example: "Han Solo" |
teams
|
A comma separated list of team UUIDs. A team's UUID can be found on the Team Settings page in Buildkite. Example: a1aaaa1a-b2bb-cccc-d4dd-aa2aaa6aaaaa,b5bbbbbb-3aaa-dd1d-aaa1-eee4eee6eeee
|
When using the teams
attribute, you can also specify roles. The maintainer
or member
role can be appended to the team UUID.
For example, the following code will specify the member role for the first team and the maintainer role for the second team:
teams="b5bbbbbb-3aaa-dd1d-aaa1-eee4eee6eeee/member, a1aaaa1a-b2bb-cccc-d4dd-aa2aaa6aaaaa/maintainer"