Supported protocols

  • SAML 2.0
  • OpenID Connect

Before you can start using single sign-on for CodeSignal you will need to contact [email protected] to configure it for your account and enable it for users who will need to use it.


SAML 2.0

Supported Flows

  • Single sign-on initiated by the Identity Provider
  • Single sign-on initiated by the Service Provider

The following values need to be provided in order to configure single sign-on with SAML 2.0:

  • SAML 2.0 Endpoint: This is the URL of your Identity Provider that will be used to log-in to CodeSignal.
  • Identity Provider Issuer: This is the Entity ID of your Identity Provider that will be used to identify your organization on CodeSignal.
  • X.509 Certificate: This is a certificate provided by your Identity Provider that serves as a public key.

Here are the values that you might need to configure your single sign-on application:

Additionally please provide a list of user emails for whom you want the single-sign on to be enabled if you don't want to enable it for all users in your CodeSignal account.

Configuring nameID

CodeSignal uses urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress as the nameID format. When configuring nameID on the Identity Provider it should match the email address of a user on CodeSignal who belongs to the account you are configuring it for.

Note: Make sure that nameID remains in sync when you are making changes to user profiles in your Identity Provider. If a user doesn't have a valid nameID that matches their CodeSignal email address they will not be able to use single sign-on with CodeSignal.

Bindings

CodeSignal uses HTTP-POST binding (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST)

 

OpenID Connect

Supported Flows

  • Single sign-on initiated by the Service Provider

The following values need to be provided in order to configure single sign-on with OpenID Connect:

  • Authorize Endpoint: This is the endpoint URI on your Authorization Server that will be used to retrieve authorization code. For example - https://dev-410330.oktapreview.com/oauth2/default/v1/authorize
  • Token Endpoint: This is endpoint URI on your Authorization Server that will be used to retrieve access and ID tokens in exchange for the authorization code. For example - https://dev-410330.oktapreview.com/oauth2/default/v1/token
  • Client ID: This is the public identifier of the client that will be used for OAuth flows.
  • Client Secret: This is the secret that is used when exchanging authorization code for a token.

Also one of the following needs to be provided:

  • RS256 Public Key: This is the public key of the public/private key pair that is used to generate the JWT signature using RSA Signature with SHA-256. It can either be a file or a URL that can be used to fetch the public key.
  • JWKS Endpoint URI: This is a JSON Web Key Set endpoint that can be used to fetch a JSON object representing a set where the public key can be found by the given kid ¬†from JWT. For example - https://dev-410330.oktapreview.com/oauth2/default/v1/keys
  • HS256 Secret Key: This is a secret key that is used to generate the JWT signature using HMAC with SHA-256.

Here are the values that you might need to configure your single sign-on application:

CodeSignal will request access to the following scopes:

  • openid
  • profile
  • email
Did this answer your question?