Skip to main content

Single-sign on (SSO) configuration

Your deployment journey

This article walks you through single-sign on (SSO) configuration. Semgrep supports SSO through OpenID Connect / OAuth 2.0 and SAML 2.0.

After setting up SSO, users are provisioned and managed on your IdP. Semgrep grants access to the deployment to any user at the configured domain who logs in and has the correct permissions in the IdP.

OpenID Connect / OAuth 2.0

Microsoft Entra ID

Semgrep AppSec Platform does not support using OpenID with Microsoft Entra ID. Follow the instructions to set up SAML SSO with Microsoft Entra ID instead.

To set up SSO in Semgrep AppSec Platform:

  1. Sign in to Semgrep AppSec Platform.
  2. Go to Settings > Access > Login methods.
  3. In the Single sign-on (SSO) section, provide a valid Email domain, then click Initialize.
  4. The Configure Single Sign-On dialog appears. Begin by selecting your identity provider, or choose Custom OIDC.
  5. Follow the instructions provided on the subsequent Configure Single Sign-On dialog pages to complete this process. When you've completed the required steps, verify that the Connection details shown on the Connection activated screen are correct, and use Test sign-in to test the connection.
  6. To use the new connection, log out of Semgrep, then log back in using SSO.

If you encounter issues during the setup process, please reach out to support for assistance.

SAML 2.0

Google Workspace SAML

If you're using Google Workspace SAML, see SAML Single Sign-on with Google Workspace for specific guidance.

SAML2.0 is configured through Semgrep AppSec Platform. To set up SSO:

  1. Create a SAML app with your authentication provider.
  2. With your authentication provider, add in two attribute statements: name and email.
  3. Sign in to Semgrep AppSec Platform.
  4. Go to Settings > Access > Login methods.
  5. In the Single sign-on (SSO) section, provide a valid Email domain, then click Initialize.
  6. The Configure Single Sign-On dialog appears to guide you through the remaining configuration steps. Begin by selecting your identity provider, or choose Custom SAML.
  7. Follow the instructions provided on the subsequent Configure Single Sign-On dialog pages to complete this process. When you've completed the required steps, verify that the Connection details shown on the Connection activated screen are correct, and use Test sign-in to test the connection.
  8. To use the new connection, log out of Semgrep, then log back in using SSO.

If you encounter issues during the setup process, reach out to support for assistance.

Admin and org owner accounts

By default, Semgrep creates new SSO accounts with the Member role assigned. You can change the default role assigned to a new user by going to Settings > Access > Defaults.

If you're an admin setting up SSO, and Semgrep creates an SSO account for you with the role of Member, you can elevate the permissions granted to your SSO account. To do so, log in to Semgrep with your admin account using the original login method, then change the role of your newly created SSO account to Admin.

Turn off sign in with GitHub / GitLab

If you have SSO enabled, you can turn off login using GitHub or GitLab credentials. Doing so forces members of your organization to log in using an email address with an approved domain.

  1. Sign in to your Semgrep account.
  2. Navigate to Settings > Access > Login methods.
  3. GitHub users: Click the GitHub SSO toggle to turn off logins using GitHub.
  4. GitLab users: Click the GitLab SSO toggle to turn off logins using GitLab.
warning

Ensure that you have at least one user who can log in as an admin through SSO before disabling sign in with GitHub or GitLab.

See also

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.