How to set up SSO with SAML based IdP to access CloudBees services?


As a CloudBees customer you want to setup the authentication for hosted services using SSO with a SAML based identity provider (SAML IdP).


The SAML integration requires at the minimum an Enterprise level subscription to a CloudBees service/product.


How to setup the Identity Provider?

There are various Identity Providers that support SAML 2.0 and their setup is specific to each of them.

If required you can build the XML metadata of a SAML Service Provider with a service like this one:

Optional settings are:

It will give you a file like this one (Don’t use this one which is a sample with an expired validity date):

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="" />
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     index="1" />
       <md:OrganizationName xml:lang="en-US">cloudbees</md:OrganizationName>
       <md:OrganizationDisplayName xml:lang="en-US">CloudBees Inc.</md:OrganizationDisplayName>
       <md:OrganizationURL xml:lang="en-US"></md:OrganizationURL>
    <md:ContactPerson contactType="support">
        <md:GivenName>CloudBees Support</md:GivenName>

The required URLs may differ depending on the IdP in use:

You’ll find more documentation below about SAML 2.0 IdPs and their integration with CloudBees:

How to setup an organization with CloudBees?

1/ As an administrator of your cloudbees organization log into

2/ Click on the Organization button on the left.


3/ Click on SAML SSO button (on the right)


4/ Fill in the details as below


  • Login URL: The endpoint of your SAML Identity Provider.
  • Provision user: Select true if you want visitors (non existent users) with an email address matching your Email domains to be added as new users to your CloudBees organization, this is in accordance with this SAML setup.
  • X.509 Certificate: Input your x509 certificate (public key) generated by your SAML identity provider.
  • Email domains: Specify the comma separated list of domains for which SAML login process should be triggered.
    • Note: each domain will need to have a TXT record in the format of cloudbees-domain-verification:0123456789abcdef0123456789abcdef01234567 for verification of domain ownership (See step 6 below)

5/ Click Create button

6/ If all goes well you will see a Retry button showing the validation key in the format cloudbees-domain-verification:0123456789abcdef0123456789abcdef01234567 this key will need to added as DNS TXT record.

7/ After the DNS TXT record with above mentioned key has been added click on Retry button, this will validate the domain ownership. Note: there may be an up to 24 hour delay between your record being created and it validating with CloudBees.

8/ If domain ownership has been validated you are all set to use SAML Login process and your SAML configuration should show Certificate Fingerprint instead of the actual X509 certificate.

Have more questions? Submit a request


Please sign in to leave a comment.