Skip to main content

Single Sign-On Configuration

Plug in your SAML Identity Provider (IdP) to authenticate and provision users in your domain in Bugfender

Aleix Ventayol avatar
Written by Aleix Ventayol
Updated over 11 months ago

Bugfender can establish a trust relationship with your Identity Provider for a given domain. Users can use your company's Single Sign-On system and seamlessly work with Bugfender without needing a password.

For example, if your domain is yourcompany.com, Bugfender can trust your SSO system to authenticate all emails in the @yourcompany.com domain.

Supported software

Bugfender works with all SAML-enabled Identity Providers, including:

  • Okta

  • Ping Identity

  • Shibboleth

  • Microsoft Entra ID (Active Directory)

  • JumpCloud

If your SAML provider is not listed here, don't worry; chances are it is supported anyway. There are a million implementations of SAML, each one with its own quirks! πŸ˜‰. Contact us and we will be happy to test it together with you.

Mandatory or Optional

Logging in with your Identity Provider can be mandatory or optional:

  • Mandatory: useful if you want to establish your Identity Provider as the source of truth for who is able to log in to your company's resources.

  • Optional: useful as an alternative to password login and while testing your Identity Provider integration. In this mode, password login still works, and therefore someone who has been removed from your Identity Provider will still have access to the account via password.

Automatic provisioning and de-provisioning

When a user from your domain creates an account in Bugfender, it will be linked with your Identity Provider automatically. However, this will not grant any additional permissions automatically. If you want to collaborate with someone on a team, you still must invite them and specify the permissions you want for them.

If you make logging in with your Identity Provider mandatory, users de-provisioned from your Identity Provider will not be able to log in to Bugfender either.

SAML Setup

If you would like to authenticate your domain with SAML, please get in touch with us. You will need to provide the following information:

  • The name of the domain(s) you want to authenticate with SAML, for example, yourcompany.com.

  • The SAML metadata URL of your Identity Provider.

During the setup of your Identity Provider you will need the metadata URL of Bugfender: https://dashboard.bugfender.com/saml

Once you provide this information, we'll follow together the following steps:

  • Verify the ownership of the domain

  • Set up the SAML connection between your Identity Provider and Bugfender

  • Test the login using the Identity Provider

  • (Optionally) Make your Identity Provider the authoritative source for logins on your domain, removing the possibility of logging in in other ways

Attribute mappings

Bugfender requires SAML responses to assert:

  • The user's email address, one of:

    • Email

    • urn:oid:0.9.2342.19200300.100.1.3

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • The user's name, one of:

    • urn:oid:2.16.840.1.113730.3.1.241

    • FirstName and LastName

    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    • http://schemas.microsoft.com/identity/claims/displayname

Attribute mappings for Ping Identity

Please set up the mappings like this:

Bindings setup for JumpCloud

Please configure your IdP to accept HTTP-Redirect bindings. HTTP-POST bindings are not supported at the moment (they might be eventually).

Did this answer your question?