Authentication via SAML

To enable Single Sign-On using the SAML protocol on Garden Cloud you will need to first create an Application (sometimes called Integration) on your SSO provider of choice and then configure Garden Cloud to use that to authenticate users.

Currently, we support two SSO providers, Azure and Okta, and we will be adding more in the future. If you have any specific requirements or requests, please don't hesitate to contact your Garden customer success representative.

How to create a new Application

Setting up a new Enterprise Application on Azure

  1. To setup SAML authentication using Azure Active Directory, please visit your organization page on

  2. Select Enterprise Applications and proceed to create a new application, clicking on New application from the top-middle menu. On the subsequent screen, click Create your own application in the top bar.

  3. Choose a valid name for your application and select Integrate any other application you don't find in the gallery (Non-gallery).

  4. Once the application is created, configure which users and groups will have access to this application by clicking the Get started link within the 1. Assign users and groups panel.

  5. Add the desired users and groups.

  6. Once access is configured, go back to the application overview page and proceed to configure Single Sign-On by clicking the Get started link within the 2. Set up single sign on panel.

  7. Select SAML as single sign-on method.

  8. Edit the Basic SAML configuration by adding a valid Identifier and Reply URL.

  9. Download the Base64 Raw certificate (SSO certificate) and copy the Login URL (SSO Entry Point), you'll need both later.

Setting up a new Integration on Okta

  1. From your Organization page, list all your applications, then select Create App Integration.

  2. Select SAML 2.0.

  3. Give your new integration a valid name.

  4. Enter a valid Single sign on URL and Audience URI (SP Entity ID) and press continue.

    Note: make sure the Name Id format and Application username are set respectively to EmailAddress and Email.

  5. Once the setup is complete, you should see a new panel marked in yellow which will allow you to see your SAML configuration. Click on View Setup Instructions.

  6. Copy the Identity provider Single Sign-On URL (SSO Entry Point) and the X.509 Certificate (SSO certificate), you'll need both later.

  7. Finally, configure access through the integration adding users and groups to it.

How to configure Garden Cloud

If you are an On-Prem customer (meaning you usually deploy Garden Cloud via Replicated) you will need to change your configuration as follow:

  • Select Enable SSO.

  • Add the SSO certificate which you obtained in the previous steps (Step 9 for Azure and step 6 for Okta).

  • Add SSO Entry Point which you obtained in the previous steps (Step 9 for Azure and step 6 for Okta).

  • Save the configuration and re-deploy.

If you are a user of a Garden Cloud managed instance, please contact our customer success representative and we'll get you set up as soon as possible. We will need the same data (SSO certificate and SSO Entry Point).

User management when using SSO via SAML

Once SSO via SAML is correctly configured you need to make sure your Garden Cloud users can successfully log in. In order to be able to log in, a user must have a valid email in Garden Cloud that matches their login email on your chosen SSO provider.

You can quickly tell if a user doesn't have a valid email associated with their account from the Team page.

Importing users from GitHub

If you are using GitHub to import users make sure that all the old and newly imported users have a valid associated email next to their name on the Team page and that that email is the same one used to log in with your SSO provider.

When importing users from GitHub, Garden Cloud will automatically fetch the primary email associated with the account. A user can sometimes decide to have a different primary email than the one provided by their workplace (which is used to log in with the SSO provider) or to not give API access to their email altogether.

If that's the case, you will need to manually edit the user email field.

Last updated