Skip to main content
Single Sign-On (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.

Supported Protocols

Bytebase supports three SSO protocols:
  • OAuth 2.0 — Authorization protocol. Bytebase gets a token and fetches your profile from the provider. Good for providers that don’t support OIDC (e.g. GitHub).
  • OpenID Connect (OIDC) — Identity layer built on top of OAuth 2.0. Adds a standardized ID token so Bytebase gets user info directly. Preferred when available.
  • LDAP — Directory lookup protocol. Bytebase queries a user directory directly with username/password. No browser redirects involved.

Authentication Flow

There are two ways SSO authentication can start:
  • SP-Initiated (default) — User visits Bytebase, clicks “Sign in with X”, gets redirected to the identity provider, then back to Bytebase after authentication.
  • IdP-Initiated — User clicks the Bytebase tile directly from their identity provider’s dashboard (e.g. Okta portal) and lands in Bytebase already authenticated. Works with OAuth 2.0 and OIDC providers.

User & Group Provisioning (SCIM)

SSO handles authentication (who is this person), but not provisioning (creating/updating/deactivating accounts). For automatic user and group provisioning, Bytebase supports SCIM 2.0 with Entra ID and Okta.
SCIM requires the IdP to communicate with Bytebase over HTTP. LDAP does not support SCIM — if you need SCIM with a provider like Microsoft Entra ID, you must configure SSO via OIDC or OAuth 2.0, not LDAP.

Which Protocol to Use

Identity ProviderRecommended ProtocolSCIMNotes
GoogleOIDCAlso available via OAuth 2.0
GitHubOAuth 2.0GitHub does not support OIDC
GitLabOIDCAlso available via OAuth 2.0
Microsoft Entra ID (Azure AD)OIDCYesAlso available via OAuth 2.0
OktaOIDCYesAlso available via LDAP (no SCIM)
KeycloakOIDC
CasdoorOIDC
AuthingOIDC
JumpCloudLDAP

Prerequisites

Configure External URL.

Create SSO provider

As a Workspace Admin, you can create a SSO provider following the steps below:
  1. In Workspace, go to IAM & Admin -> SSO from left side bar.
  2. Click Create to start creating SSO.
  3. Fill in all the required fields. create-sso-dialog
  4. Test Connection on bottom left.
  5. If successfully connected, click Update on bottom right.

Sign in with SSO

Bytebase employs JIT (Just-In-Time) user provisioning. It will create the user the first time the user signs in.
Once a valid SSO has been created, you can choose to sign in with the configured SSO provider. sign-in-with-github

Enforce SSO Sign-in

As Workspace Admin, you can enforce SSO sign-in for all users in Workspace. In Workspace, go to Settings > General, scroll down to Account section and switch on Disallow signin with email & password. Then users can only sign in with SSO. disallow-emailpass-only-sso Afterwards, when the user tries to sign in, the only option is to sign in with the configured SSO provider. only-sso In case of emergency, the admin can log in by navigating to <YOUR_URL>/auth/admin and entering the email and password.