Documentation menu

SSO

Last updated on Disponible en Français

✅ Only Enterprise plans support SSO integration. If you’d like to upgrade your plan to enable SSO, please reach out to our sales team.

CoderPad supports SSO integrations using the SAML protocol with Okta, Microsoft Azure, and Google Workspace. SSO can also be combined with User Provisioning through the SCIM protocol.

Prerequisites for activating SSO on your CoderPad account:

  • You must have admin rights for your CoderPad Interview account.
  • You must have identified the proper person at your end who will be able to implement the required configuration changes on your SSO provider account, i.e. your system administrator.

✅ Account-wide failure to login may occur for your users during the configuration process. Reversing the SSO activation on the account can be done at any time if the configuration fails.

ℹ️ At any time, even when the SSO configuration is active, it is possible for an admin to log into the account using email and password credentials as long as the option to enforce SSO is not active

Supported SSO features

The CoderPad Okta integration supports SP-initiated and IdP-initiated SSO logins.

It does not currently support Just-In-Time (JIT) provisioning or Single Logout.

Supported SCIM features

The following SCIM operations are supported:

  • Creating users
  • Updating user attributes (name, family name)
  • Deactivating users
  • Deprovisioning users
  • Group management (Creation / Renaming / Deletion / Assign to users)
  • Importing users in your Identity Provider
  • Importing groups in your Identity Provider

Step 1: Obtain SSO configuration values from CoderPad

To obtain the SSO values you’ll need to give to your SSO provider, you’ll first need to navigate to the Team Settings screen in CoderPad Interview by clicking on that option in the settings menu :gear:.

An arrow pointing to the "team settings" option in the settings menu drop down in the top right of the screen.

Then, scroll down to the Single Sign-On (SSO) section and click on Configure SSO.

A screen shot that says "Single sign-on (SSO)" with a "configure SSO" button below that.

This will open up the SSO configuration screen. In Step 1: Provide Identity Provider Metadata you’ll see the three values you’ll need for your SSO provider:

  • SP Entity ID
  • SP Assertion Consumer URL (Note: You won’t need this if you’re using Okta)
  • IDP Login URL
The "step 1: provide identity provider metadata" section with the SP entity id, sp assertion consumer url, and idp login url highlighted.

Step 2: Configure SSO Provider

We currently support the following SSO providers. Click on the provider link for instructions on how set up integration with CoderPad:

Okta

1. On Your Okta Applications page, click Browse App Catalog.

The image shows a screenshot of the Okta dashboard, specifically under the "Applications" section. A red arrow points to the "Browse App Catalog" button, which is next to the "Create App Integration" button. The left sidebar menu includes options like Dashboard, Directory, Customizations, and Applications, among others. The top-right corner displays a support email and the user account details.

2. On the App Integration Catalog page, search for CoderPad and select the one with the “SWA” label.

The image shows a screenshot of the "Browse App Integration Catalog" page on Okta. On the left side, there is a "Use Case" menu listing categories like All Integrations, Apps for Good, Automation, Centralized Logging, Directory and HR Sync, and more. The main section shows a search bar with the query "CoderPad" entered, and below it, search results are displayed. A red arrow points to the "CoderPad" app listed under the search results. The right side of the screen has a "Create New App" button at the top.

3. Click Add Integration.

The image shows a screenshot of the CoderPad app integration page on Okta. At the top right, a red arrow points to a blue button labeled "Add Integration," with the text "Last updated: February 11, 2021" above it. Below, the CoderPad logo and name are displayed, along with a "SWA" tag indicating its functionality. The section below provides details, with "Okta Verified" indicating the integration has been tested and verified by Okta. The overview describes CoderPad as the best tool for conducting programming phone screen interviews. Additional information includes the use case "Single Sign-On" and functionality "SWA."

4. In Sign-On Options, select SAML 2.0.

The image shows a screenshot of the "Add CoderPad" page in Okta, specifically in the "Sign-On Options" tab. The section is titled "Sign-On Options: Required." It explains that the sign-on method determines how a user signs in and manages their credentials for an application. Several sign-on methods are listed under "Secure Web Authentication," including "User sets username and password," "Administrator sets username and password," and others. A red arrow points to the "SAML 2.0" option at the bottom of the list. The page includes additional instructions for configuring profile mapping.

5. Leave the Default Relay State field empty.

The image shows a screenshot of the SAML 2.0 configuration section in Okta. It includes fields for setting the "Default Relay State" and an optional section for "Attributes" with a link to learn more. A checkbox labeled "Disable Force Authentication" is checked, indicating that users will not be prompted to re-authenticate. There is a "Preview SAML" button for testing the configuration. The "Metadata details" section displays the "Metadata URL," with a URL provided and a "Copy" button next to it. A "More details" link is also present for additional configuration options.

6. In the Advanced Sign-on Settings, fill in the SP Entity ID, SP Assertion Consumer URL, and IDP Login URL you obtained from CoderPad. For the Application username format field, there are two options:

A) If your email addresses contain NO uppercase letters, then select Email.

The image shows a screenshot of the "Advanced Sign-on Settings" and "Credentials Details" sections in Okta for CoderPad. The "Advanced Sign-on Settings" section includes fields for "SP Entity ID" and "IDP Login URL," both of which are redacted with red boxes. The "Credentials Details" section includes a dropdown menu for selecting the "Application username format," which is set to "Email." Another dropdown menu labeled "Update application username on" is set to "Create and update." There is a checkbox option labeled "Allow users to securely see their password (Recommended)" which is unchecked. Below this is an informational box stating, "Password reveal is disabled, since this app is using SAML with no password." At the bottom, there are "Previous," "Cancel," and "Done" buttons.

B) If your user email contains any uppercases letters, CoderPad won’t be able to match the user and will result in a login error. Therefore, you have to change the Application username format to Custom, and in the value use String.toLowerCase(user.email).

The image shows a screenshot of the "Credentials Details" section in Okta. The "Application username format" is set to "Custom," and there is a text field containing the expression `String.toLowerCase(user.email)`. The text field is highlighted with a red box. Below the text field, there is a note stating, "To maintain security, do not use fields which can be edited by users."

7. Go to the Sign On tab, and copy the Metadata URL.

The image shows a screenshot of the CoderPad integration settings page in Okta. The top section displays the CoderPad logo, status (Active), and various action buttons like "View Logs" and "Monitor Imports." Below this, there are several tabs, including General, Sign On, Mobile, Provisioning, Import, Assignments, and Push Groups. The "Sign On" tab is selected, with a red arrow pointing to it. The main section includes "Settings" for sign-on methods, with options for "Secure Web Authentication" and "SAML 2.0." The "SAML 2.0" option is selected, showing fields for "Default Relay State," a checkbox for "Disable Force Authentication," and "Metadata details" with a "Metadata URL" and a "Copy" button next to it. On the right side, there is an "About" section explaining SAML 2.0, application username details, and a "View SAML setup instructions" button.

8. Paste the contents into CoderPad’s SSO configuration page.

The image shows a screenshot of the SAML configuration settings for CoderPad in Okta. The fields include: - **SP Entity ID**: `urn:amazon:cognito:sp:us-east-1_y3aJwInG6` with a copy button next to it. - **SP Assertion Consumer URL**: `https://cognito.coderpad.io/saml2/idpresponse` with a copy button next to it. - **IDP Login URL**: The URL is redacted with a black box, with a copy button next to it. - **Upload your SAML XML metadata file**: with a "Browse" button and text "No file selected." - **Or paste it here**: A text box contains SAML metadata information highlighted in a red box. Below these fields, there is a section labeled "Step 2: Customize Sign-In," which allows the user to choose a custom CoderPad subdomain for single sign-in, followed by a text box for entering the subdomain ending with ".coderpad.io."

9. You can use a custom CoderPad subdomain to test your SSO configuration.

✅If you encounter errors during login, it might be worth setting up a custom Okta integration instead of this standard one, especially if you use something else than user.email as user email in Okta.

Adding SCIM User Provisioning

1. After saving the SSO configuration & refreshing the page, scroll down and copy the SCIM Authentication Token.

The image shows a screenshot of the "Step 2: Customize Sign-In" section in Okta for CoderPad. It allows the user to choose a custom CoderPad subdomain for single sign-in, with the text box containing "coderpad_login" followed by ".coderpad.io." Below this, there are settings to set up SCIM alongside SSO, which include: - **SCIM Authentication Token**: A black box redacts the token. - **SCIM URL**: `https://scim.coderpad.io/acs` with a red box highlighting this information. The section also includes "Step 3: Make SSO Mandatory," with a checkbox labeled "Enforce SSO" checked. A note advises testing and confirming login via SSO with both an existing and new account before enabling this setting. At the bottom, there is a "Save" button.

2. Navigate back to the Okta app, go to the Provisioning tab, and click Configure API Integration.

The image shows a screenshot of the CoderPad integration settings page in Okta, specifically under the "Provisioning" tab, which is highlighted with a red arrow pointing to it. The main section indicates that provisioning is not enabled and provides a button labeled "Configure API Integration," which is pointed to by another red arrow. The section also includes a blue information box titled "CoderPad: Configuration Guide" stating that the provisioning certification is Okta Verified and that the integration is partner-built by CoderPad, with contact support information provided. At the bottom, it notes that the integration was last upgraded on April 29, 2024, at 1:16:00 PM. The footer includes links for Privacy, Status site, OK11 Cell (US), Version 2024.05.0 C, Download Okta Plugin, and Feedback.

3. Paste the SCIM Authentication Token you copied from CoderPad into the API Token field.

The image shows a screenshot of the CoderPad integration settings page in Okta, specifically under the "Provisioning" tab. The main section includes a blue information box titled "CoderPad: Configuration Guide," indicating the provisioning certification is Okta Verified and that the integration is partner-built by CoderPad, with contact support information provided. Below this, there is a green confirmation message stating "CoderPad was verified successfully!" and a checkbox labeled "Enable API integration," which is checked. An input field labeled "API Token" is shown with a red arrow pointing to it, and the token is masked with dots. Next to the input field, there is a button labeled "Test API Credentials." At the bottom, there is a "Save" button. The left sidebar menu includes options for Settings and Integration.

4. Click the Test API Credentials button to verify the credentials are correct, and then click Save.

5. Proceed to Step 3: Finish SSO configuration in CoderPad to finish up the SSO configuration.


Azure

1. Configure an Enterprise application in Azure AD corresponding to CoderPad by clicking Enterprise applications > + New application > + Create your own applications.

MS Azure AD admin center with arrow pointing to "enterprise applications" and "new application".
Applications page with "new application" button at top center of the page highlighted.
Azure AD gallery page with "create your own application" button highlighted.

❗Do not use the Microsoft Entra SAML Toolkit application — it doesn’t allow for SCIM configuration.

2. Enter Coderpad as the name of your app, select the Integrate any other application you don’t find in the gallery (Non-gallery) option, and click Create.

The "Create your own application" window is open. "coderpad" is entered as the name of the application and the "integrate any other application you don't find in the gallery) option is selected. The create button at the bottom is highlighted.

3. Select Single sign-on in the left navigation menu, and then SAML card from the gallery in the center.

The overview screen for the new application is shown with an arrow pointing to the "single sign-on" option in the left nav menu.
The single sign on screen is shown with the SAML card highlighted.

4. Click Edit on the Basic SAML Configuration section.

The "edit" button is highlighted in the "Basic saml configuration" box on the SAML-based sign-on screen.

5. Enter in the following information:

  • Identifier (Entity ID) = SP Entity ID
  • Add 2 Reply URL (Assertion Consumer Service URL):
    • IDP Login URL — make sure that the IDP Login URL Default box is checked!
    • SP Assertion Consumer URL
  • Sign on URL = IDP Login URL

Save the configuration. Here is what it should look like:

The basic saml configuration editing screen is shown. The first identifies is set as urn:amazon:cognito:sp:us-east-1_y3aJWInG6. The reply url is set as https://saml.coderpad.io/login?idp=XXXXXXX, and the default box is checked. The sign in url is set to the same url as the reply url.

6. Back on the SAML-based Sign-on page, click Edit on the Attributes & Claims section, and then select +Add new claim.

On the saml-based sign-on screen, the edit button is highlighted in the attributes and claims section. below that is the attributes and claims window and the "add new claim" button is highlighted.

Add the following in the Manage claim screen:

  • Name: User.Email
  • Source Attribute: user.userprincipalname
The Manage claim screen is shown. "User.Email" is shown in the Name field, Source is "Attribute", and Source attribute is set as user.userprincipalname.

✅ We expect that this field is filled with the exact same email as the one in CoderPad. If for some reasons that’s not the case, use another field that should correspond to the email in CoderPad (case sensitive).

Leave the other fields as-is, then click Save.

7. On the SAML Certificates section, download the Federation Metadata XML file.

The SAML certificates page with an arrow pointing to the download link for the federation metadata xml file.

8. Back on the CoderPad SSO Settings page, upload or paste the file into the respective input box.

The coderpad SSO settings screen is shown with the file selection and xml text box options shown.

9. Test the configuration: Ask one of your users to login through SSO to check that it is working before proceeding to the user provisioning steps.

Adding SCIM User Provisioning

Once SSO has been activated, User Provisioning can be turned on using the SCIM protocol:

1. From the Azure AD application, select Provisioning and then Get started:

The CodinGame provisioning page is shown with an arrow pointing to the provisioning option in the left nave. The "get started" button in the center of the page is highlighted.

2. Select Automatic provisioning mode

The provisioning mode dropdown menu is shown with an arrow pointing to the "automatic" option.

3. Add the following parameters:

  • Tenant URL = SCIM URL
  • Secret Token = SCIM Authentication Token
Admin credentials page with tenant url and secret token input fields displayed.

4. The Test Connection action should be working correctly at this point.

5. Edit the provisioning Mappings:

  • For Provision Azure Active Directory Groups, keep the default values:
    • Enabled: Yes
    • Target Object Actions: Create, Update, Delete
    • Attribute Mappings: display
    • Name, members
  • For Provision Azure Active Directory Users, update the Attribute Mappings:
    • Enabled: Yes
    • Target Object Actions: Create, Update, Delete
    • Attribute Mappings:
      • userPrincipalName = userName (i.e. the login email)
      • Switch([IsSoftDeleted]…) = active
      • givenName = name.givenName
      • surname = name.familyName

❗Make sure you clear the user attribute mapping before you update it. Any mapping with [type eq…] — i.e. addresses[type eq "work"].country — will make the SSO crash. The library we use doesn’t support payloads that include any value selection filters (like [type eq….]), so you will need to ensure they are removed.

6. Add users and groups to the application:

The "users and groups" page is shown with an arrow pointing to "users and groups" link in the left nav. At the top center of the screen the "Add user/group" button is highlighted.
  • Users added directly will be created with no permissions on your CoderPad Account
  • Groups allow to define a common set of permissions automatically set on the users of that group

7. From the provisioning menu:

  • Start the provisioning
  • Refresh & wait for “Current cycle status: Initial cycle completed”
Azure dashboard with "Overview" highlighted in the left nav menu and an arrow pointing to the "Start provisioning" button in the center of the screen.

8. Send a final request to the CoderPad support team specifying the permissions you require for each group attached to the Azure AD application.

9. From now on users added to your groups will be automatically created in CoderPad with the proper set of permissions.

10. Proceed to Step 3: Finish SSO configuration in CoderPad to finish up the SSO configuration.


Google Workspace

⚠️ Make sure your SAML certificates are up-to-date with Google! Expired certificates can cause you to be locked out of CoderPad.

1. Configure an “App” in Google Workspace corresponding to CoderPad : Admin > Apps > Web and mobile apps > Add App > Add custom SAML app

In the left nave the "apps" menu item is highlighted.
The apps menu has been expanded and the "web and mobile apps" sub-item is highlighted.
At the top of the screen the "Add app" tab is highlighted.
The "add app" menu has been expanded and the "add custom SAML app" menu item is highlighted.
  • Copy and send the following parameters to the CoderPad support team:
    • SSO URL
    • Entity ID
    • Certificate
  • Click Continue and enter the following configuration in the Service provider details panel:
    • ACS URL = SP Assertion Consumer URL
    • Entity ID = SP Entity ID
    • Leave the other fields unchanged
  • Click Continue and on the Attributes panel, click the ADD MAPPING button:
    • For the Google Directory attributes, select Primary email
    • For the App attributes, type User.Email
A mapping of the Primary email to User.email.

2. Click Finish

 3. Expand the User access panel of the newly created app and activate the service by selecting the ON for everyone option.

User access page with the expansion arrow highlighted.
Service status screen with the option "On for everyone" selected and highlighted.

4. For testing purposes, add the Google Workspace admin user used to configure SSO as a user of your CoderPad account.

5. Contact CoderPad support to schedule a real-time meeting between one of our engineers and your system administrator. During the meeting, CoderPad will activate SSO on your account, and you may then check that the Google Workspace admin user can indeed connect to CoderPad through SSO. Any final adjustments can be made during this call. As an alternative to a real-time meeting, you may just request activation of SSO by contacting support.

6. From now on, any user added to both the Google Workspace and the CoderPad account will be authenticated through Google Workspace.

7. Proceed to Step 3: Finish SSO configuration in CoderPad to finish up the SSO configuration.


Step 3: Finish SSO configuration in CoderPad

SSO Login Subdomain

Now that you’ve configured your IdP information, you’re able to customize your SSO login subdomain. This will give you a dedicated sign in page specifically for your organization.

Customize Sign-In with the set subdomain of "yourcompany.coderpad.io"


You should direct your users to use this subdomain for login; they’ll be greeted with a welcoming login screen specifically for SSO users to reduce confusion.

However, if one of your users accidentally attempts to login through other CoderPad pages – such as our homepage login button – we’ll redirect them to the correct location upon email input.

Mandatory SSO Enforcement

While we allow organizations to have both SSO and more traditional email/password user accounts, we recommend you enforce SSO login. The benefits of doing this are:

  • Simplification of organization-wide authentication
  • Reduced/simplified IT support requests
  • Ability to add security precautions (such as 2FA)

To make SSO mandatory, simply select the Enforce SSO checkbox in the step 3 section.

Table of Contents