> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure SSO

Enterprise requires OpenID Connect (OIDC) for authentication, for example with Identity Providers (IdP) such as Google, Okta, Azure AD (Microsoft Entra ID) and AWS Cognito.

## General instructions

* You will need to create a configuration with your Identity Provider and provide the “redirect URI” you can copy from this screen.
* Once you’ve created your Identity Provider configuration, you should copy and paste the Issuer URL, Client ID and Client Secret values on this screen.
* Clicking “Verify SSO Configuration” will ensure that validity of the values by authenticating your account. If successful, your user will be created and configured with the “owner” role. Subsequent users that log in will be granted the default “member” role.

  <Frame caption="Configure Single Sign-on">
    <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/configure-sso-gitpod.webp?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=016691aedd9c776f1d47a725661be1ed" width="2682" height="1892" data-path="images/docs/gitpod-dedicated/guides/getting-started/configure-sso-gitpod.webp" />
  </Frame>

## Restrict Available Accounts in Your Identity Providers

Gitpod allows you to restrict which accounts can sign in to your Gitpod installation. This is achieved by configuring a `claims CEL expression` ([syntax of CEL](https://github.com/google/cel-spec/blob/master/doc/langdef.md#syntax)), which is evaluated when a user logs in. This feature is particularly useful for restricting access to specific teams, groups, or email domains. It can:

* **Avoid security risks** for certain SaaS Identity Providers (IdPs), such as **SaaS GitLab**, where any GitLab account can be used to verify OIDC applications under any groups or accounts.
* Restrict access to only certain members (e.g., specific teams), preventing unnecessary accounts in your Gitpod installation.

Here are examples of CEL expressions:

* (SaaS GitLab) Limit users to people who is a direct member of group, example group name `gitpod-team`
  ```
  'gitpod-team' in claims.groups_direct
  ```

* (SaaS GitLab) Limit users to people who is a direct member of multiple groups, example group name `gitpod-team` and `gitpod-team-2/sub_group`

  ```
  'gitpod-team' in claims.groups_direct && 'gitpod-team-2/sub_group' in claims.groups_direct
  ```

* Limit users by email ends with `@gitpod.io`
  ```
  claims.email_verified && claims.email.endsWith('@gitpod.io')
  ```

## Identity Provider specific instructions

Below are detailed step-by-step instructions for configuring Single Sign-On (SSO) with various identity providers. Each section provides specific guidance for that provider's unique setup process and requirements:

* **[Okta](#okta)**
* **[Google](#google)**
* **[Azure AD (Microsoft Entra ID)](#azure-ad-microsoft-entra-id)**
* **[AWS Cognito](#aws-cognito)**
* **[Self-hosted GitLab](#self-hosted-gitlab)**
* **[SaaS GitLab](#saas-gitlab)**

***

### Okta

As *prerequisites*, you will need the following:

* Access to your Okta instance
* Permission to create an [app integration](https://help.okta.com/oie/en-us/Content/Topics/Apps/apps-overview-get-started.htm)

*Creating a Gitpod SSO Integration*

1. On the Okta Admin dashboard, navigate to Applications

2. Select `Create App Integration`

   <Frame caption="Applications - Okta Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/6IUfxpogdvMHxYsN/images/docs/gitpod-dedicated/guides/getting-started/sso/okta/okta-dashboard.webp?fit=max&auto=format&n=6IUfxpogdvMHxYsN&q=85&s=6226be756601f0dd23da516b186f4f11" width="2198" height="382" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/okta/okta-dashboard.webp" />
   </Frame>

3. Select the following options and click `Next`

   * Sign-in method: `OIDC - Open ID Connect`
   * Application type: `Web Application`

   <Frame caption="Create App Integration - Okta Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/6IUfxpogdvMHxYsN/images/docs/gitpod-dedicated/guides/getting-started/sso/okta/create-app-integration.webp?fit=max&auto=format&n=6IUfxpogdvMHxYsN&q=85&s=59e6e814c1cf64ac96edf088d39229bf" width="1990" height="1754" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/okta/create-app-integration.webp" />
   </Frame>

4. Specify General Settings

   * App integration name: `Gitpod` (or choose your own name)
   * Sign-in redirect URIs: *copy this value from your Gitpod setup screen* (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Sign-out redirect URIs: `none`
   * Trusted Origins: `none`
   * Assignments: *choose option appropriate to your organization*

   <Frame caption="Specify Okta settings - Okta Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/okta/specify-general-settings.webp?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=655b23dd52363b16d8ae761be7510b86" width="1784" height="2612" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/okta/specify-general-settings.webp" />
   </Frame>

5. Obtain Client ID & Client Secret

   * Copy the `Client ID` and use it as input in Gitpod setup (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Copy `Client Secret` and use it as input in Gitpod setup (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Set the `Issuer` to your Okta instance, eg: `https://amazingco.okta.com/`

   <Frame caption="Configure Client Secrets - Okta Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/nqEhKW7F_KWmo28S/images/docs/gitpod-dedicated/guides/getting-started/sso/okta/client-configs-okta.webp?fit=max&auto=format&n=nqEhKW7F_KWmo28S&q=85&s=f3a4775f43a3a2a05eec5711ab4d2935" width="1600" height="1702" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/okta/client-configs-okta.webp" />
   </Frame>

6. Continue with Gitpod SSO Configuration verification: [Clicking “Verify SSO Configuration”](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that)

***

### Google

*As prerequisites* you will need the following:

* Access to setup a new [API Credentials](https://console.cloud.google.com/apis/credentials) in your GCP Account

*Creating a Gitpod SSO Integration*

1. Navigate to your Google Cloud Console, API Credentials

2. Select Create Credentials, and choose OAuth client ID

   <Frame caption="Create credentials - Google Cloud Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/nqEhKW7F_KWmo28S/images/docs/gitpod-dedicated/guides/getting-started/sso/google/create-credentials.webp?fit=max&auto=format&n=nqEhKW7F_KWmo28S&q=85&s=7aa4b8968c5b07ea8e5d9b6c363ebe6f" width="1506" height="690" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/google/create-credentials.webp" />
   </Frame>

3. Configure your OAuth Client ID, by specifying the Authorized Redirect URIs. You will be able to find it on the setup page.

   <Frame caption="Cell setup SSO page">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/google/sso-onboarding-page.webp?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=9c334daee4158bcf99f421eeae2d0ad0" width="1754" height="2098" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/google/sso-onboarding-page.webp" />
   </Frame>

4. Obtain the Client ID & Client Secret and input these into your Gitpod Setup page

   <Frame caption="OAuth Client Created - Google Cloud Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/nqEhKW7F_KWmo28S/images/docs/gitpod-dedicated/guides/getting-started/sso/google/OAuth-client-created.webp?fit=max&auto=format&n=nqEhKW7F_KWmo28S&q=85&s=48194311a5d306a565047df483fb97b0" width="1134" height="1200" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/google/OAuth-client-created.webp" />
   </Frame>

5. Set Provider's Issuer URL to `https://accounts.google.com`

6. Proceed to verify the integration on the Gitpod setup page: [Clicking “Verify SSO Configuration”](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that)

***

### Azure AD (Microsoft Entra ID)

As prerequisites you will need the following:

* Access to [Microsoft Entra admin center](https://entra.microsoft.com/)

*Create an OIDC application*

1. On the [Microsoft Entra admin center](https://entra.microsoft.com/), navigate to *Identity > Applications*

2. Select `New Registration`

   <Frame caption="New Registration">
     <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-1-new-app.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=cae8262d2d8a9d3c84da682d3b577873" width="1968" height="1016" data-path="images/docs/flex/organizations/sso/entra-1-new-app.png" />
   </Frame>

3. Specify General Settings

   * App name, e.g. `Gitpod`
   * Platform: `Web`
   * Paste the redirect URI
     * You'll find the redirect URI on the Gitpod SSO setup page
     * `https://<YOUR GITPOD DOMAIN>/iam/oidc/callback`

   <Frame caption="Register Application - Azure AD Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/azure/register-application.webp?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=7fffe7f2d5e37d95b65597ade541e155" width="2404" height="1610" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/azure/register-application.webp" />
   </Frame>

4. Obtain *Client Secret* from the *Certificates & secrets* page
   * Once the application is registered, navigate to the subpage *Certificates & secrets* to create and obtain a new client secret.

     * Click the *New client secret* button
       <Frame caption="New client secret">
         <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-3-client-secret.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=20c1981fa29dd105d71b729a9fbddb3e" width="1966" height="1262" data-path="images/docs/flex/organizations/sso/entra-3-client-secret.png" />
       </Frame>

     * Adjust the expiry of the client secret
       <Frame caption="Client secret expiry">
         <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-4-client-secret-expires.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=d446f0cf28f49061baedb1b20c84e6b1" width="1966" height="938" data-path="images/docs/flex/organizations/sso/entra-4-client-secret-expires.png" />
       </Frame>

     * Then copy the value of the client secret to be pasted in Gitpod's SSO setup
       <Frame caption="Client secret expiry">
         <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-5-client-secret-copy.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=64512bc7ec820b63b3c21d22fa54c32e" width="1972" height="798" data-path="images/docs/flex/organizations/sso/entra-5-client-secret-copy.png" />
       </Frame>

5. Configure OIDC Scopes
   * The default selection of OIDC scopes in Microsoft Entra ID doesn't meet the requirements for Gitpod. Navigate to *API Permissions > Add a permission* to make the necessary changes

     <Frame caption="Add a permission">
       <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-7-permissions-openid.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=c296182a8520325ab0e9ef4d9cd0806f" width="1964" height="1612" data-path="images/docs/flex/organizations/sso/entra-7-permissions-openid.png" />
     </Frame>

   * Select *Delegated permissions* and *OpenId*, then ensure to enable the following scopes:
     * `email`

     * `openid`

     * `profile`

     * <Frame caption="OpenID Scopes">
         <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-6-permissions.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=9c0eadce1cb56f919cfaa0af8b545ca3" width="1970" height="2122" data-path="images/docs/flex/organizations/sso/entra-6-permissions.png" />
       </Frame>

   * Although the `email` claim is part of the standard OIDC specification, depending on the setup, Microsoft Entra ID does not include it by default in ID tokens. Under *Manage*, select *Token configuration* and fix this:

     * Click *Add optional claim*

     * Add the `email` scope

     * <Frame caption="Add email scope">
         <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-10-id-email-claim.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=86c31f784b9ecd1a22d032f356db62b5" width="2624" height="1518" data-path="images/docs/flex/organizations/sso/entra-10-id-email-claim.png" />
       </Frame>

6. Obtain *Issuer URL* from *Endpoints* tab

   * Navigate to the *Overview* page and select *Endpoints*

     <Frame caption="Endpoints tag">
       <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-8-endpoints-tab.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=0ee5c648123fd5d592c941aac9694165" width="1972" height="714" data-path="images/docs/flex/organizations/sso/entra-8-endpoints-tab.png" />
     </Frame>

   * Copy the *Authority URL* to be used as *Issuer URL* in Gitpod's SSO setup

     <Frame caption="Endpoints tag">
       <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-8-endpoints-tab-issuer.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=bfde53300df8233b8e64288f971bf4b5" width="1970" height="712" data-path="images/docs/flex/organizations/sso/entra-8-endpoints-tab-issuer.png" />
     </Frame>

     > **Note**: Validate the **Issuer URL** by checking the [OIDC Discovery](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri) location. In some configurations, the **Issuer URL** needs to be adjusted.

     * If the *Authority URL* reads like `https://login.microsoftonline.com/{tenant}/v2.0`, the OIDC Discovery location is `https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration`. Open this URL in your browser and check the `issuer` field.

     * Check the `issuer` field in the OIDC Discovery output and ensure this matches the *Authority URL* (*Issuer URL*).
       If not, e.g. if it reads like `https://sts.windows.net/{tenant}`, please try again with`{authority_url}/v2.0/.well-known/openid-configuration` and use `{authority_url}/v2.0` as **Issuer URL** in Gitpod's SSO setup.

7. Obtain the *Client ID* from the *Overview* page

   * Navigate to the *Overview* page and copy the *Application (client) ID* value to be used as *Client ID* in Gitpod's SSO setup

     <Frame caption="Client ID">
       <img src="https://mintcdn.com/gitpod-13c83c2b/fY1tKoFfX7qJMwfm/images/docs/flex/organizations/sso/entra-9-client-id.png?fit=max&auto=format&n=fY1tKoFfX7qJMwfm&q=85&s=aa00e4c0da5afa89ec80c44c168b762e" width="1950" height="824" data-path="images/docs/flex/organizations/sso/entra-9-client-id.png" />
     </Frame>

8. Proceed to verify the SSO configuration on the Gitpod SSO setup page: [Clicking "Verify SSO Configuration"](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that)

***

### AWS Cognito

<Info>
  {' '}

  Choose this option if you already use AWS Cognito. AWS Cognito is also a good
  option in a testing or Proof of Value (PoV) scenario where you don't have an
  IDP you can easily integrate with. In this scenario, most settings should be
  left at their defaults.
</Info>

*Follow the [Cognito User Pool setup process](https://eu-central-1.console.aws.amazon.com/cognito/v2/home), then copy the necessary values into the Gitpod SSO Configuration UI*

1. Navigate to the Cognito page in the AWS console. Select create user pool:
   <Frame caption="Congiton User Pool Process">
     <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-one.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=48c7f4b40f6760032ae8194725db8e56" width="2270" height="1662" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-one.png" />
   </Frame>
2. Configure sign-in experience:
   <Frame caption="Congito Sing In Requirements">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-signin.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=4bb9ea94ee69e6fc67f34e018994a57c" width="2336" height="1539" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-signin.png" />
   </Frame>

* Select `Cognito user pool` as provider type
* Select email as the Cognito user pool signin option

3. Configure Security requirements:
   <Frame caption="Congito Security Requirements">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-security-requirements.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=4116697ada31b42dcdaff4692e37ba8c" width="2274" height="3168" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-security-requirements.png" />
   </Frame>
   * For development purposes, consider modifying the MFA enforcment policy to not require MFA. For all production use cases, configure the MFA and user account recovery sections according to organizational guidelines
4. Configure sign-up experience:
   <Frame caption="Congito Security Requirements">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-signup-experience.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=9c3ff42bf3216fa5c4a19466110cdbfe" width="2326" height="1770" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-signup-experience.png" />
   </Frame>
   * Disable Self Registration if you want to limit access. For example, if your instance is accessible on the public internet, you may not want anyone to be able to self-register.

     <Info>
       In the `Required Attributes` section, ensure that name is selected:

       <Frame caption="Required Attribute Name">
         <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-name-required.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=9e7dea2f0c7f2e1c8e81f63cafeef99c" width="2270" height="1662" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-name-required.png" />
       </Frame>
     </Info>
5. Configure Message Delivery:
   <Frame caption="Configure message delivery">
     <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-message-delivery.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=152e3a27ede395380ae5a234f3379e5f" width="2326" height="1778" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-message-delivery.png" />
   </Frame>
   * For dev Setups, use Cognito as the email provider; for production setups, use company SES setup
6. Integrate your app:
   <Frame caption="Integrate your app">
     <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-integrate-app.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=09517947e35e38adb46eb161cdbce148" width="2328" height="1774" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-integrate-app.png" />
   </Frame>
   * Follow company best practice for most settings
   * Ensure to select `Generate a client secret` in the Client secret section:
     <Frame caption="Required client secret">
       <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-app-client-secret.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=f0233766eaf45f5d9ad02d6a2156c8ad" width="2270" height="1662" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-app-client-secret.png" />
     </Frame>
   * Define the call back url as provided by the Enterprise instance in the Configure single sign-on setup page (see [above](#3-set-up-gitpod)):
     <Frame caption="Required callback url">
       <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-callback-url.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=8e7597ddeff43edd869fa98157b394bd" width="1596" height="584" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-callback-url.png" />
     </Frame>
   * As the identity provider, select `Cognito` (under Advanced app client settings)
   * OAuth 2.0 grant types, select `Auth Code Grant`
   * Under OpenID Connect Scopes, select `OpenID`, `Email`, `Profile`:
     <Frame caption="Required callback url">
       <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-app-scopes.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=8efa523abb8de9cf5c03c265415a9b40" width="1932" height="1102" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-app-scopes.png" />
     </Frame>
7. Now create the cognito user pool. The review page should look similar to this:
   <video controls playsInline autoPlay loop muted className="shadow-low w-full rounded-xl max-w-3xl mt-x-small" src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-review-screen.webm?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=36d1c2cfee6fd6621b1b7acc85a5730e" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-review-screen.webm" />
8. Start pasting the necessary values into the Gitpod SSO setup page. Navigate to:

```text theme={null}
https://cognito-idp.<insert_region>.amazonaws.com/<insert_user_pool_id>/.well-known/openid-configuration
```

This will return a web page with raw json data:

<Frame caption="Issuer URL">
  <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-well-known-issuer.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=c1ae9e09a64cbb3b9de0757d171eb9dc" width="1746" height="927" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-well-known-issuer.png" />
</Frame>

* Copy the `issuer URL` highlighted above into the respective field on the Gitpod SSO setup page

9. Navigate to the Cognito console, and find the User pool created above. Navigate to the App client meta data as below:
   <Frame caption="App Client Data">
     <img src="https://mintcdn.com/gitpod-13c83c2b/DbW0IHRsdqu3clLj/images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-app-client.png?fit=max&auto=format&n=DbW0IHRsdqu3clLj&q=85&s=c08c443222cfc608df55fc7cde20e8fb" width="2530" height="1662" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/cognito/cognito-app-client.png" />
   </Frame>

* Copy the `Client ID` from the Cognito app client page into the respective field on the Gitpod SSO setup page
* Copy the `Client Secret` into the respective field on the Gitpod SSO setup page

10. Proceed to Verify the SSO configuration on the GitHub SSO setup page [by clicking “Verify SSO Configuration”](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that)

***

### Self-hosted GitLab

*As* *prerequisites* you will need the following:

* Admin Permission of your Self-hosted GitLab

*Creating a Gitpod SSO Integration*

1. Navigate to your GitLab instance's applications settings page. eg: `https://gitlab-demo.gitpod.io/admin/applications`.

2. Click on the `New application` button.

   <Frame caption="New Application - GitLab Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/admin-area-applications.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=a5cdbdd1da1fff7d04fc8866909e7fe6" width="3232" height="1166" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/admin-area-applications.png" />
   </Frame>

3. Specify General Settings and Save application.

   * Name: Gitpod
   * Redirect URI: copy this value from your Gitpod setup screen (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Confidential: Yes
   * Expire access tokens: Yes
   * Scopes: select `read_user`, `openid`, `profile` and `email`

   <Frame caption="Application Settings - GitLab Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/application-settings.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=47f8bab9a6c620f429957138aea03f9c" width="3228" height="2542" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/application-settings.png" />
   </Frame>

4. Obtain Client ID & Client Secret

   * Copy the Application ID and use it as input in Gitpod setup (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Copy Secret and use it as input in Gitpod setup (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Set the Issuer to your Gitlab instance, eg: `https://gitlab-demo.gitpod.io`

   <Frame caption="Application Settings Saved - GitLab Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/application-setting-saved.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=db00e394d26a5574881c33f3e6f10407" width="3230" height="1264" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/application-setting-saved.png" />
   </Frame>

5. Continue with Gitpod SSO Configuration verification: [Clicking “Verify SSO Configuration”](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that)

***

### SaaS GitLab

<Warning>
  **Security note:** To avoid everyone has a GitLab account to sign up in your
  Gitpod installation, you must restrict `claims` with CEL expression ([syntax
  of CEL](https://github.com/google/cel-spec/blob/master/doc/langdef.md#syntax)).
  More details see step 6.
</Warning>

*Creating a Gitpod SSO Integration*

1. Navigate to your SaaS GitLab group's applications settings page. eg: `https://gitlab.com/groups/<group_name>/-/settings/applications`.

2. Click on the `Add new application` button.

   <Frame caption="New Application - GitLab Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-group-applications.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=f34ae288c9f97b119bdaa4f92cc1a9b0" width="2620" height="1440" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-group-applications.png" />
   </Frame>

3. Specify General Settings and Save application.

   * Name: Gitpod
   * Redirect URI: copy this value from your Gitpod setup screen (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Confidential: Yes
   * Expire access tokens: Yes
   * Scopes: select `read_user`, `openid`, `profile` and `email`

   <Frame caption="Application Settings - GitLab Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-application-settings.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=e1a2f34f66894b5755730ea5f19cb874" width="2616" height="1580" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-application-settings.png" />
   </Frame>

   <Frame caption="Application Settings - GitLab Dashboard - 2">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-application-settings-2.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=ef8f5511d5a57bf9bcfd43ebcb799cd3" width="2614" height="748" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-application-settings-2.png" />
   </Frame>

4. Obtain Client ID & Client Secret

   * Copy the Application ID and use it as input in Gitpod setup (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Copy Secret and use it as input in Gitpod setup (see [details](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that) above under "General instructions")
   * Set the Issuer to `https://gitlab.com`

   <Frame caption="Application Settings Saved - GitLab Dashboard">
     <img src="https://mintcdn.com/gitpod-13c83c2b/Yi8thHUqIhNFtEor/images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-application-settings-saved.png?fit=max&auto=format&n=Yi8thHUqIhNFtEor&q=85&s=57ec4f403ff37e36ba8a67fd7a076975" width="2616" height="1298" data-path="images/docs/gitpod-dedicated/guides/getting-started/sso/gitlab/saas-application-settings-saved.png" />
   </Frame>

5. Continue with Gitpod SSO Configuration verification: [Clicking “Verify SSO Configuration”](/classic/admin/setup-gitpod/configure-sso#general-instructions:~:text=on%20this%20screen.-,Clicking%20%E2%80%9CVerify%20SSO%20Configuration%E2%80%9D,-will%20ensure%20that)

6. Restrict with CEL expression. More available keys see [OIDC document on GitLab](https://docs.gitlab.com/ee/integration/openid_connect_provider.html#shared-information)

   <Warning>
     {' '}

     **Security note:** To avoid everyone has a GitLab account to sign up in your
     Gitpod installation, you must restrict `claims` with CEL expression ([syntax
     of CEL](https://github.com/google/cel-spec/blob/master/doc/langdef.md#syntax))
   </Warning>

* Limit users to people who is a direct member of group, example group name `gitpod-team`
  ```
  'gitpod-team' in claims.groups_direct
  ```
* Limit users to people who is a direct member of multiple groups, example group name `gitpod-team` and `gitpod-team-2/sub_group`
  ```
  'gitpod-team' in claims.groups_direct && 'gitpod-team-2/sub_group' in claims.groups_direct
  ```
* Limit users by email ends with `@gitpod.io`
  ```
  claims.email_verified && claims.email.endsWith('@gitpod.io')
  ```
