Single-sign on (SSO) configuration
- You have gained the necessary resource access and permissions required for deployment.
- You have created a Semgrep account and organization.
- For GitHub and GitLab users: You have connected your source code manager.
This article walks you through single-sign on (SSO) configuration. Semgrep supports SSO through OpenID Connect / OAuth 2.0 and SAML 2.0.
After setting up SSO, users are provisioned and managed on your IdP. Semgrep grants access to the deployment to any user at the configured domain who logs in and has the correct permissions in the IdP.
OpenID Connect / OAuth 2.0
Semgrep AppSec Platform does not support using OpenID with Microsoft Entra ID. Follow the instructions to set up SAML SSO with Microsoft Entra ID instead.
To set up SSO in Semgrep AppSec Platform:
- Sign in to Semgrep AppSec Platform.
- Navigate to Settings > Access > Login methods.
- Click Add SSO configuration and select OpenID SSO.
- Provide a Display name and the Email domain.
- Copy the Redirect URL, and provide it to your authentication provider.
- Generate a Client ID and Client Secret through your authentication provider and paste these values into Semgrep.
- From your authentication provider, copy the Base URL value, and provide it to Semgrep. For example, if you're using Okta SSO, the base URL is the Okta domain.
- Optional: provide the following values from your authentication provider if necessary:
- Well Known URL
- Authorize URI
- Token URI
- Userinfo URI
- Click Save to proceed.
If you encounter issues during the setup process, please reach out to support for assistance.
SAML 2.0
If you're using Google Workspace SAML, see SAML Single Sign-on with Google Workspace for specific guidance.
SAML2.0 is configured through Semgrep AppSec Platform. To set up SSO:
- Create a SAML app with your authentication provider.
- With your authentication provider, add in two attribute statements:
nameandemail.
- Sign in to Semgrep AppSec Platform.
- Navigate to Settings > Access > Login methods.
- Click Add SSO configuration and select SAML2 SSO.
- Provide a Display name and the Email domain.
- Copy the SSO URL and Audience URL (SP Entity ID), and provide it to your authentication provider.
- From your authentication provider, copy your IdP SSO URL and IdP Issuer ID values, and download the X509 Certificate.
- Return to Semgrep AppSec Platform, and paste the IdP SSO URL and IdP Issuer ID values, and upload your X509 Certificate.
- Select the box next to This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin) if applicable.
- Click Save to proceed.
If you encounter issues during the setup process, reach out to support for assistance.
By default, Semgrep creates new SSO accounts with the Member role assigned. You can change the default role assigned to a new user by going to Settings > Access.
If you're an admin setting up SSO, and Semgrep creates an SSO account for you with the role of Member, you can elevate the permissions granted to your SSO account. To do so, log in to Semgrep with your admin account using the original login method, then change the role of your newly created SSO account to Admin.
Turn off sign in with GitHub / GitLab
If you have SSO enabled, you can turn off login using GitHub or GitLab credentials. Doing so forces members of your organization to log in using an email address with an approved domain.
- Sign in to your Semgrep account.
- Navigate to Settings > Access > Login methods.
- GitHub users: Click the GitHub SSO toggle to turn off logins using GitHub.
- GitLab users: Click the GitLab SSO toggle to turn off logins using GitLab.
Ensure that you have at least one user who can log in through SSO before disabling sign in with GitHub or GitLab.
See also
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.