Add SAML SSO to domain
The SAML SSO feature allows customers to use their own Identity Provider to authenticate users in Bugfender. This is useful for companies that want to use their own authentication system to manage users. The SSO feature works on a domain basis, so we do not modify anything from the teams table. All users from a domain will be redirected to the Identity Provider to authenticate, to set up SAML SSO for a domain, follow these steps:
The client will need to provide:
- Domain name to link to their account
- Metadata URL of the Identity Provider
The SAML SSO protocol takes care only of the authentication part. Authorization is still managed by Bugfender, the user must exist in Bugfender before they can authenticate, so a team owner must invite the user in Bugfender before they can log in with SAML SSO.
The same applies if a user gets deleted from the Identity Provider, they will need to remove the user from Bugfender as well.
Step 1: Verify domain name ownership
- Ask the customer to add a domain verification to their DNS server like this:
- TXT "bugfender-saml-delegation=123456"
- Wait for the domain DNS to update
Step 2: Add the Identity provider
- Open the metadata URL and get the identity provider Entity ID
- Add it to the
saml_idp_trusttable in mysql - Add the domain name to the
saml_domain_trust- Start with
restrict_to_saml=0
- Start with
With restrict_to_saml=0, all users will be able to login with SAML or email/password.
Step 3: Restrict login to SAML (optional)
If you want to restrict login to SAML only, then:
- Edit the
saml_domain_trustand setrestrict_to_saml=1