SSO, authentication, and user provisioning

Provisioning new users via single sign-on (SSO)

Authentication to Snyk

Why use single sign-on

You can take advantage of your company's existing identity management systems, and have employees sign in to Snyk using their corporate identity. This makes provisioning Snyk to users easier. It also allows for deeper integration for group and organization membership, role-based access, and more.

Snyk can integrate with any SAML-based and OpenID Connect (OIDC)-based SSO, as well as ADFS. You can also use your Enterprise Identity Provider for SSO, including Azure AD and Google G Suite.

The sign-on and provisioning process

With SSO configured, users are provisioned with a new Snyk account when they first sign on through SSO, even if they previously created their own account.

The sign on process includes these steps:

  1. When a user selects SSO from Snyk.io to log in, they are redirected to (and authenticated) by the identity provider you requested.
  2. The identity provider communicates this authentication to Snyk servers, sending relevant data to Snyk in order to create each user.
  3. Snyk checks the directory for that user.
  4. If the user is already configured, Snyk enables the appropriate access. For a new user, Snyk adds the user to the directory, and then redirects them to Snyk.io with the appropriate access.

Automatic provisioning options

Determine how new users in your organization get access to Snyk:

  • Open to all - allows all users in your domain to access Snyk either as an administrator or a collaborator
  • Invitation required - allows users in your domain to access Snyk, but they must be invited to specific organizations (or request an invitation)
  • Custom (only available for Enterprise plan accounts) - allows users to be provisioned and mapped to specific organizations

For more information on implementing the Custom mapping option, visit the Snyk User Docs article Custom Mapping Option.

SSO setup process

Overview of the SSO setup process

Set up single sign-on to allow your developers and teams easy access to Snyk through your existing SSO provider, so they can see the status of their projects, view reports, resolve vulnerabilities, and more.

Ensure you have at least one group and organization to indicate where new users will be assigned.

You'll need to establish trust between Snyk and your identity provider. The information required depends on which type of SSO you are using.

To establish trust between your identity provider and Snyk, you'll need to provide your identity provider with information about Snyk and share information about your identify provider with Snyk to finalize the connection.

Self-serve SSO set up (SAML)

When using SAML, you can complete the single sign-on set up in Snyk using the Group Settings page.

Working with Snyk for SSO set up

Not using SAML?

If self-serve SSO set up is not available for your identity provider, you'll work with Snyk to set up the authentication and provisioning. There are three basic steps:

  1. Set up Snyk in your identity provider.
  2. Collect details about your identity provider to provide to Snyk.
  3. Create a support ticket with Snyk.

To get specific details required for each type of identity provider, visit the Snyk User Docs article for setting up SSO.

Congratulations

Congrats! You learned about the options for providing new users access to your Snyk account. You are now prepared to set up your single sign-on access.