Configure Single Sign-On
Enterprise requires OpenID Connect (OIDC) for authentication, for example with Identity Providers (IdP) such as Google, Okta, Azure AD (Microsoft Entra ID) and AWS Cognito.
General instructions
You will need to create a configuration with your Identity Provider and provide the “redirect URI” you can copy from this screen.
Once you’ve created your Identity Provider configuration, you should copy and paste the Issuer URL, Client ID and Client Secret values on this screen.
Clicking “Verify SSO Configuration” will ensure that validity of the values by authenticating your account. If successful, your user will be created and configured with the “owner” role. Subsequent users that log in will be granted the default “member” role.
Restrict Available Accounts in Your Identity Providers
Gitpod allows you to restrict which accounts can sign in to your Gitpod installation. This is achieved by configuring a claims CEL expression
(syntax of CEL), which is evaluated when a user logs in. This feature is particularly useful for restricting access to specific teams, groups, or email domains. It can:
- Avoid security risks for certain SaaS Identity Providers (IdPs), such as SaaS GitLab, where any GitLab account can be used to verify OIDC applications under any groups or accounts.
- Restrict access to only certain members (e.g., specific teams), preventing unnecessary accounts in your Gitpod installation.
Here are examples of CEL expressions:
(SaaS GitLab) Limit users to people who is a direct member of group, example group name
gitpod-team
'gitpod-team' in claims.groups_direct
(SaaS GitLab) Limit users to people who is a direct member of multiple groups, example group name
gitpod-team
andgitpod-team-2/sub_group
'gitpod-team' in claims.groups_direct && 'gitpod-team-2/sub_group' in claims.groups_direct
Limit users by email ends with
@gitpod.io
claims.email_verified && claims.email.endsWith('@gitpod.io')
Identity Provider specific instructions
Let us go through a detailed walk through of how to setup of how to setup SSO in various identity providers:
Okta
As prerequisites, you will need the following:
- Access to your Okta instance
- Permission to create an app integration
Creating a Gitpod SSO Integration
On the Okta Admin dashboard, navigate to Applications
Select
Create App Integration
Select the following options and click
Next
- Sign-in method:
OIDC - Open ID Connect
- Application type:
Web Application
- Sign-in method:
Specify General Settings
- App integration name:
Gitpod
(or choose your own name) - Sign-in redirect URIs: copy this value from your Gitpod setup screen (see details above under “General instructions”)
- Sign-out redirect URIs:
none
- Trusted Origins:
none
- Assignments: choose option appropriate to your organization
- App integration name:
Obtain Client ID & Client Secret
Continue with Gitpod SSO Configuration verification: Clicking “Verify SSO Configuration”
As prerequisites you will need the following:
- Access to setup a new API Credentials in your GCP Account
Creating a Gitpod SSO Integration
Navigate to your Google Cloud Console, API Credentials
Select Create Credentials, and choose OAuth client ID
Configure your OAuth Client ID, by specifying the Authorized Redirect URIs. You will be able to find it on the setup page.
Obtain the Client ID & Client Secret and input these into your Gitpod Setup page
Set Provider’s Issuer URL to
https://accounts.google.com
Proceed to verify the integration on the Gitpod setup page: Clicking “Verify SSO Configuration”
Azure AD (Microsoft Entra ID)
As prerequisites you will need the following:
- Access to Azure Directory, to Register an Application
Creating a Gitpod SSO Integration
Navigate to your Azure portal > App Registrations
Select New Registration
Name your application - e.g. Gitpod
Select supported account types depending on your organizational needs. Most likely you want Accounts in this organizational directory only
Copy the redirect URL from the Gitpod SSO setup page and set it as the Redirect URI, selecting Web as the application type
From the App Registration Overview, you should obtain the Application (client) ID and copy it into your Gitpod SSO setup page
Create a client secret - navigate to Certificates & Secrets, click New client secret
Name the secret, and set expiry according to your needs.
📌 Once the client secret expires, you (nor anyone else in your organization) will be able to log in to Gitpod. You will need to update the SSO configuration (secret) to continue using SSO.
Obtain the Secret Value and copy into into the Gitpod SSO Client Secret input field
Grant the application access to OpenId
email
,openid
andprofile
information- Navigate to API Permissions
- Select Microsoft Graph
- Enable
OpenId.email
,OpenId.openid
andOpenid.profile
- Once saved, your configured permissions should look as follows:
Obtain the Provider URL
- Navigate to your App Registration > Overview
- Click endpoints
- Find the entry for
OpenID Connect metadata document
- Use the URL before the
.well-known/openid-configuration
segment,- For example:
https://login.microsoftonline.com/512571ea-9fc5-494e-a300-625b33c8efa6/v2.0/
- For example:
Proceed to Verify the SSO configuration on the Github SSO setup page: : Clicking “Verify SSO Configuration”
AWS Cognito
Choose this option if you already use AWS Cognito. AWS Cognito is also a good option in a testing or Proof of Value (PoV) scenario where you don’t have an IDP you can easily integrate with. In this scenario, most settings should be left at their defaults.
Follow the Cognito User Pool setup process, then copy the necessary values into the Gitpod SSO Configuration UI
- Navigate to the Cognito page in the AWS console. Select create user pool:
- Configure sign-in experience:
- Select
Cognito user pool
as provider type - Select email as the Cognito user pool signin option
- Configure Security requirements:
- For development purposes, consider modifying the MFA enforcment policy to not require MFA. For all production use cases, configure the MFA and user account recovery sections according to organizational guidelines
- Configure sign-up experience:
- Disable Self Registration if you want to limit access. For example, if your instance is accessible on the public internet, you may not want anyone to be able to self-register.
::WARN> In the
Required Attributes
section, ensure that name is selected:
- Disable Self Registration if you want to limit access. For example, if your instance is accessible on the public internet, you may not want anyone to be able to self-register.
::WARN> In the
- Configure Message Delivery:
- For dev Setups, use Cognito as the email provider; for production setups, use company SES setup
- Integrate your app:
- Follow company best practice for most settings
- Ensure to select
Generate a client secret
in the Client secret section: - Define the call back url as provided by the Enterprise instance in the Configure single sign-on setup page (see above):
- As the identity provider, select
Cognito
(under Advanced app client settings) - OAuth 2.0 grant types, select
Auth Code Grant
- Under OpenID Connect Scopes, select
OpenID
,Email
,Profile
:
- Now create the cognito user pool. The review page should look similar to this:
- Start pasting the necessary values into the Gitpod SSO setup page. Navigate to:
https://cognito-idp.<insert_region>.amazonaws.com/<insert_user_pool_id>/.well-known/openid-configuration
This will return a web page with raw json data:
- Copy the
issuer URL
highlighted above into the respective field on the Gitpod SSO setup page
- Navigate to the Cognito console, and find the User pool created above. Navigate to the App client meta data as below:
- Copy the
Client ID
from the Cognito app client page into the respective field on the Gitpod SSO setup page - Copy the
Client Secret
into the respective field on the Gitpod SSO setup page
- Proceed to Verify the SSO configuration on the Github SSO setup page by clicking “Verify SSO Configuration”
Self-hosted GitLab
As prerequisites you will need the following:
- Admin Permission of your Self-hosted GitLab
Creating a Gitpod SSO Integration
Navigate to your GitLab instance’s applications settings page. eg:
https://gitlab-demo.gitpod.io/admin/applications
.Click on the
New application
button.Specify General Settings and Save application.
- Name: Gitpod
- Redirect URI: copy this value from your Gitpod setup screen (see details above under “General instructions”)
- Confidential: Yes
- Expire access tokens: Yes
- Scopes: select
read_user
,openid
,profile
andemail
Obtain Client ID & Client Secret
Continue with Gitpod SSO Configuration verification: Clicking “Verify SSO Configuration”
SaaS GitLab
Security note: To avoid everyone has a GitLab account to sign up in your Gitpod installation, you must restrict
claims
with CEL expression (syntax of CEL). More details see step 6.
Creating a Gitpod SSO Integration
Navigate to your SaaS GitLab group’s applications settings page. eg:
https://gitlab.com/groups/<group_name>/-/settings/applications
.Click on the
Add new application
button.Specify General Settings and Save application.
- Name: Gitpod
- Redirect URI: copy this value from your Gitpod setup screen (see details above under “General instructions”)
- Confidential: Yes
- Expire access tokens: Yes
- Scopes: select
read_user
,openid
,profile
andemail
Obtain Client ID & Client Secret
Continue with Gitpod SSO Configuration verification: Clicking “Verify SSO Configuration”
Restrict with CEL expression. More available keys see OIDC document on GitLab
Security note: To avoid everyone has a GitLab account to sign up in your Gitpod installation, you must restrict
claims
with CEL expression (syntax of CEL)
- Limit users to people who is a direct member of group, example group name
gitpod-team
'gitpod-team' in claims.groups_direct
- Limit users to people who is a direct member of multiple groups, example group name
gitpod-team
andgitpod-team-2/sub_group
'gitpod-team' in claims.groups_direct && 'gitpod-team-2/sub_group' in claims.groups_direct
- Limit users by email ends with
@gitpod.io
claims.email_verified && claims.email.endsWith('@gitpod.io')