SSO/SAML

Follow these instructions to enable Enterprise Single Sign-On (SSO) with SAML via BoxyHQ for your Greptile application.

Prerequisites

Ensure the following services are operational:

Set these environment variables for the Jackson service:

Variable	Description	Example
`DB_ENCRYPTION_KEY`	Encryption key	`openssl rand -base64 32`
`HOST_URL`	Jackson service URL	`sso.greptile.com`
`EXTERNAL_URL`	External Jackson URL	`https://sso.greptile.com`
`JACKSON_API_KEYS`	API Keys for Jackson	`openssl rand -base64 32`
`SAML_AUDIENCE`	Audience identifier	`https://sso.greptile.com`
`CLIENT_SECRET_VERIFIER`	Secret verifier (alphanumeric only)	`dummy`
`NEXTAUTH_ADMIN_CREDENTIALS`	Admin credentials	`admin@greptile.com:mysupersecretpassword`
`PUBLIC_KEY`	Certificate (see Jackson docs)	Starts with `-----BEGIN CERTIFICATE-----`
`PRIVATE_KEY`	Private key (see Jackson docs)	PEM formatted
`NEXTAUTH_URL`	Same as `EXTERNAL_URL`	`https://sso.greptile.com`
`NEXTAUTH_SECRET`	JWT secret from `web` service	JWT secret
`IDP_ENABLED`	Enable IdP	`true`

Log in to your PostgreSQL database.
Create or locate an existing Organization.
Generate an InternalApiKey:
```
openssl rand -base64 36
```
Insert a new SamlConnection:
- Set org_id to your Organization ID.
- Set tenant_id to your user’s email domain (e.g., example.com).

Visit the Jackson admin console (https://sso.greptile.com).
Log in using admin credentials configured earlier.
Navigate to Enterprise SSO → Connections.
Click New Setup Link.
- Set tenant to user’s email domain.
- Set product as greptile.
- Allowed redirect URL: https://app.greptile.com
- Default redirect URL: https://app.greptile.com/login/saml
Generate the setup link.
Share the setup link with your customer for SSO provider configuration.

Once your customer has completed the configuration:

For local testing, use MockSAML with tenant set to example.com.

AUTH_BOXYHQ_SAML_SECRET in your web service must match Jackson’s CLIENT_SECRET_VERIFIER and should not include special characters.