SAML/SSO
Keygen uses WorkOS to offer SAML/SSO to Keygen Cloud customers on an Ent tier. SSO is currently not available on our Std tiers. To get set up, or discuss upgrading to an Ent tier, please reach out or contact your account manager. Once set up, you will be provided with instructions on how to integrate your IdP with WorkOS. SSO supports JIT-provisioning of users, as well as group-based access controls, configured via your WorkOS Portal.
SSO enables your organization to authenticate with Keygen using an Identify Provider such as Okta or OneLogin, instead of using an email and password.
You will be able to configure your internal group mapping to Keygen's internal roles and permissions from within your WorkOS Portal.
In addition, the following options are available for all accounts using SSO:
| Option | |
|---|---|
| SSO domains | Your organization's domains that will trigger SSO, i.e. any user with an email matching one of these domains will be required to authenticate via SSO. |
| SSO session duration | How long authenticated sessions will last before expiring. Sessions are extended when in use until they reach a max age. Default session duration is 12 hours, with a max age of 2 weeks. |
| JIT user provisioning | Allow unknown users to automatically register themselves after authenticating via the IdP, using your configured default role or group mapping. This is disabled by default. |
| External authentication | Allow users from outside of your organization, e.g. users identified by an email outside of one of your domains, to authenticate via SSO. This is disabled by default. |
Once SSO is enabled, all admins must login via SSO, regardless of domain.