Set up SSO (Pro)
SSO access is an enterprise feature only available in the professional or custom package.
This article explains how to set up single-sign-on with AWS SSO and CodeShield. The process is straight forward and does not take more than 10-15 minutes.
Having an external identity provider for single-sing-on to CodeShield, employees can be assigned to the CodeShield app, and login with their usual company credentials. Having set up SSO also allows all users from the same identity provider to work together with CodeShield, by optionally sharing projects and scans with each other.
As we employ the SAML 2.0 (Security Assertion Markup Language 2.0) standard, its possible to use any SAML-based identity provider (like Azure AD or Salesforce) to set up single-sign-on with CodeShield. If you want to connect a different identity provider than AWS SSO, just let us know and we are happy to assist you!
AWS SSO
- Go to
AWS SSO
. - Click on
Applications
in the left pane and then selectAdd application
in theApplications
configuration. - Choose
Add custom SAML 2.0 application
. - Give the application a name (like
CodeShield
). Leave the page open as you will need the URL to theIAM Identity Center SAML metadata file
soon. - Log into your CodeShield account (If you do not have a CodeShield account yet, create one first). This will be your management account. You will be able to disconnect the SAML identity provider and manage user access to all connected accounts from here later.
- Click on your user icon in the bottom-left corner and select
SSO settings
. - Paste the
IAM Identity Center SAML metadata file
URL from 4. into the corresponding field. ClickConnect IDP
to connect your identity provider. - After a few seconds, you will be proposed with the data to fill back into the AWS SSO application setup page from 4. Make sure to leave the current page open.
- Go back to the AWS SSO application set up page and fill in the
Application start URL
,Application ACS URL
, andApplication SAML audience
with the values proposed by CodeShield in step 8.Submit
the form. - Now that AWS SSO is connected with CodeShield, you can assign the users that should be able to access CodeShield with AWS SSO. In the
Application
settings, click onAssign Users
. - Select the
Users
orGroups
that should be able to access CodeShield and clickAssign Users
. - Lastly, you have to add
Attribute mappings
to the application. Click onActions
in the application settings, and then onEdit attribute mappings
. - Configure the mappings as shown in the image below. Use
${user:subject}
as value for theSubject
and add another mapping foremail
with the value `${user:email}. (This will communicate a subject ID and the users email to CodeShield once the user signs in). - The setup is complete. Every user assigned to the
CodeShield
application in AWS SSO will now be able to sign in to CodeShield over the usual AWS SSO access portal.
Note that users have to login once before they are registered at CodeShield. This is a restriction of AWS SSO, CodeShield has no way to see which users are assigned to it before AWS SSO communicates their user data at their first login.
Access management
Every user of the same identity provider can edit which other users should be able to access the user's owned account connections (and belonging scans) in the SSO settings
page. The page can be reached as described in steps 5-6 of the previous section.
The admin user, who owns the management account, has full control over all users and their connected accounts, and can thus even edit access rights for account connections he did not set up himself.