Single Sign-On (SSO) Support

SSO integration was introduced in CodeTogether 4.0 and is currently available only for On-Premises installations.

Scope of SSO Integration

CodeTogether integrates with SSO providers that support the OpenID Connect protocol—this includes providers like Okta, Azure AD, Microsoft AD FS and Auth0 among others.

SSO support in CodeTogether is straightforward—once configured on your on-premises install, users will be allowed CodeTogether access only if they’ve been authorized by your provider. If they are unauthorized, they will neither be able to host, nor join any sessions running on your server.

At this time, the only SSO integration we support is the ability to log in and log out. SSO groups and other similar constructs are not synchronized with CodeTogether teams, or any other CodeTogether functionality.

Configuration

Setting Up Your SSO Provider

When integrating CodeTogether as a new application in your SSO provider you will need to configure the following common OIDC properties:

Property Value
Login redirect URI CT_SERVER_URL/sso/authorization-code/callback
Logout redirect URI CT_SERVER_URL/sso/logout
Allowed Grant Types
– Client Credentials enabled
– Authorization Code enabled
– Refresh Token enabled

CT_SERVER_URL must be the externally visible name of your on-premises server, using the HTTPS protocol. e.g. https://codetogether.acme.com
You will already have configured this variable while setting up your container.

Setting Up Your CodeTogether Server

To have CodeTogether integrate with the SSO application you created in the step above, you need to configure the following environment variables. These are in addition to the standard environment variables defined in our on-premises installation guide.

Environment Variable Description
CT_SSO_AUTHORIZATION_ENDPT The URL of your authorization server
Example: https://{OKTA_DOMAIN}/oauth2/defaultThe presence of this variable signals to CodeTogether that SSO is enabled. If not defined, all variables below are ignored.
CT_SSO_TOKEN_ENDPT An optional URL to the authorization server endpoint that provides refresh tokens.
Example: https://{OKTA_DOMAIN}/oauth2/default/v1/tokenIf not specified, the CodeTogether edge server will require the user to sign on for each new client connection.
CT_SSO_CLIENT_ID Unique ID assigned by the SSO provider to the CodeTogether SSO application.
CT_SSO_CLIENT_SECRET Private key assigned by the SSO provider to the CodeTogether SSO application.
CT_SSO_PROVIDER Optional: Can be either OKTA or MICROSOFT
If you’re using another provider, please omit this variable.

Please see Appendix A: Configuring an Okta Application for CodeTogether Authorization, for additional details. The configuration process will be similar in all SSO providers.

Using CodeTogether with SSO

The first time you use CodeTogether, you will be asked to authenticate with your organization’s single sign-on service.

Click connect to be taken to your provider’s login page, where you can authenticate as required.


CodeTogether view after logging in

SSO FAQ

  1. How long will a user stay logged in?
    CodeTogether will authenticate the user each IDE session. Refresh tokens, if available, will be used to refresh auth data, and keep the user logged in without having to sign in again. Of course, this depends upon how an SSO Administrator configures the lifetime of refresh tokens.
  2. What info does CodeTogether SSO Integration access?
    CodeTogether accesses minimal information, as defined by the following OIDC scopes: openid, profile, off_line
  3. How do I find the Token endpoint URL (CT_SSO_TOKEN_ENDPT)?
    For this URL and other configuration details, look for the token_endpoint property in the provider’s discovery document: CT_SSO_AUTHORIZATION_ENDPT/.well-known/openid-configuration
    Following are examples of discovery document paths:
    https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
    https://dev-83772425.okta.com/oauth2/default/.well-known/openid-configuration
    https://login.microsoftonline.com/9e67eb9a-b109-4066-a505-bf770af1bdb0/v2.0/.well-known/openid-configuration

Appendix A: Configuring an Okta Application for CodeTogether Authorization

This section will walk you through the creation of an SSO application in Okta – where you specify CodeTogether URLs to configure the application, and pick up endpoint URLs and properties to plug back into your CodeTogether container configuration.

Even as we step through this process with Okta, the process and properties will be quite similar for other SSO providers as well.

  1. Add and then Create a new Okta Application
  2. Give your application a suitable name, select Web as the platform and OpenID Connect as the sign on method.
  3. Specify the Login and Logout redirect URI as described in the configuration section and click Save.
  4. Your application will now be created, and you can copy the Client ID and Client Secret from the Client Credentials section.
  5. Edit the General Settings and ensure you set the required Application grant types and Save these changes. Your SSO application is now ready for CodeTogether integration.