Okta - OIDC

ProEnterprise

This information only applies to organizations on the Pro and Enterprise plans.

Buf's SSO integration supports the following SAML features:

The steps below must be carried out by an Okta administrator for your organization.

Prerequisites

Setup (Pro | Enterprise) needs to be complete. You need to know your private BSR server domain (for example, example.buf.dev or buf.example.com) for the steps below.

Sign in to your Okta organization.
Navigate to Applications > Applications and click Create App Integration.
For Sign-in method, select OIDC - OpenID Connect.
For Application type, select Web Application.

Under General Settings, give the integration an App name like "Buf Schema Registry" or "Buf". This should be something meaningful to your users.
Under Grant type, make sure to check Refresh Token.
Next, provide the callback URL. This will depend on the domain you provided.
- Sign-in redirect URIs will be https://buf.example.com/oauth2/callback
- Sign-out redirect URIs will be https://buf.example.com/logout
Support for logout will be available in an upcoming release, but we suggest configuring this now so it works seamlessly when enabled. If you require Application Single Logout, contact Support or your Buf representative.

Note that Buf provisions users Just-in-Time based on the email address.
In the Assignments section, select which users or groups of users should have access to this Buf instance.

To set up or update your BSR server's SSO configuration:

Go to the Settings page for your OIDC integration.
In another tab, go to the SSO Configuration page at http://<BSR_SERVER>/<ORGANIZATION>/pro-settings.
From the SSO Provider dropdown, choose OIDC.
Copy and paste the client ID, client secret, and the issuer URL (the Okta domain from your OIDC settings) and enter an optional logout URL.
Click Update.