---
component: ROOT
version: "2026.1"
slug: ROOT/administration/identity-provider
canonical_url: "https://docs.gradle.com/develocity/2026.1/administration/access-control/identity-provider/"
title: "Identity Provider"
description: "Configure SAML 2.0 or LDAP identity providers to manage user access to Develocity."
keywords: []
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# Identity Provider

<a id="preamble"></a>

Configure an external identity provider.

While Develocity includes a local [System User](https://docs.gradle.com/develocity/2026.1/administration/access-control/system-user/), enterprise environments typically configure an external identity provider (IdP) to centralize user management and enforce security policies.

<a id="prerequisites"></a>

## Prerequisites

*   An account with permission to configure access control in Develocity.
    
*   Administrator access to your identity provider (IdP).
    
*   Your IdP configuration details:
    
    *   For SAML 2.0, the IdP metadata file.
        
    *   For LDAP, a bind DN and credentials, plus the LDAP connection details.
        
    

> [!IMPORTANT]
> Develocity supports one active external identity provider at a time (either SAML 2.0 or LDAP).

<a id="authenticated_build_access"></a>

## Authenticated Build Access

Builds authenticate with Develocity using an access key. Configure build authentication in the [Develocity Gradle Plugin User Manual](https://docs.gradle.com/develocity/gradle/4.4/gradle-plugin/#authenticating) or [Develocity Maven Extension User Manual](https://docs.gradle.com/develocity/maven/2.4/maven-extension/#authenticating).

<a id="saml-2-0"></a>

## SAML 2.0

SAML 2.0 enables Single Sign-On (SSO) using providers like Okta, Entra ID, or Ping Identity.

<a id="configure-via-the-user-interface"></a>

### Configure via the User Interface

User accounts for users authenticating with the SAML provider will be created on first login.

1.  Navigate to **Administration**  **Access control**  **Identity provider**.
    
2.  Enable **Enable external identity provider** and select **SAML 2.0**.
    
    ![Enable SAML toggle](https://docs.gradle.com/develocity/2026.1/administration/access-control/identity-provider/../../_images/saml-step-enable.png)
    
    Enable SAML
    
3.  Enter a name for the identity provider.
    
4.  Create a SAML application at your identity provider using the displayed "Service provider SSO URL" and "Service provider entity ID".
    
5.  Download the metadata for the SAML application from your identity provider, and select this file for the "Identity provider metadata file" field.
    
6.  Configure signing/encryption options (optional). If any signing or encryption is being used, use "Download service provider config" to obtain a configuration file that will need to be provided to your identity provider.
    
7.  Configure [Attribute Mappings](#attribute_mapping).
    
8.  Configure [Role Mapping](#idp_role_mapping) membership.
    
9.  Click **Save**, then **Apply** to restart Develocity with the new settings.
    

> [!TIP]
> SAML handles authentication, but not user deletion. To automate the user lifecycle, configure User Provisioning (SCIM 2.0).

<a id="attribute_mapping"></a>

### Attribute Mappings

User’s "given name", "surname" and "email" attributes can be obtained from the identity provider or prompted for on first login.

To obtain an attribute from the identity provider, select "Manage in identity provider" for the attribute and specify the name of the SAML attribute that will provide the value. Attribute changes made at the SAML identity provider will only take effect after either a user-initiated logout, administrator force logout, or session expiry.

Locally managed attributes can be updated for a user by an administrator.

<a id="idp_role_mapping"></a>

### Role Mapping

User role membership can be defined by the identity provider or managed locally.

To use identity provider specified role membership, select **Defined by identity provider** in the **Role membership** section. The name of the SAML attribute that defines the roles for a user must be specified, along with the values to map to Develocity access roles.

When using "Defined by Develocity" as the "Role membership" option, the default roles for users can be specified. Users will be assigned the default roles when they first sign in. Changing the default roles will change the role membership of users with default roles enabled. Administrators can change role membership for individual users after they have signed in for the first time, including whether the default roles should be enabled for the user.

<a id="ldap"></a>

## LDAP

Connect Develocity to an LDAP or Active Directory service to authenticate users against your directory tree.

<a id="configure-via-the-user-interface-2"></a>

### Configure via the User Interface

1.  Navigate to **Administration**  **Access control**  **Identity provider**.
    
2.  Enable **Enable external identity provider** and select **LDAP**.
    
3.  Enter the connection details (Server URL, Port, and Bind DN).
    
    ![LDAP connection details](https://docs.gradle.com/develocity/2026.1/administration/access-control/identity-provider/../../_images/ldap-step-connection.png)
    
    LDAP connection details
    
4.  Map the required user attributes: `username`, `first name`, `last name`, `email`, and `UUID`.
    
    ![LDAP attribute mapping](https://docs.gradle.com/develocity/2026.1/administration/access-control/identity-provider/../../_images/ldap-step-attributes.png)
    
    LDAP attribute mapping
    
5.  Configure role membership to either use LDAP groups or manage roles manually.
    
    ![LDAP role mapping](https://docs.gradle.com/develocity/2026.1/administration/access-control/identity-provider/../../_images/ldap-step-roles.png)
    
    LDAP role mapping
    
6.  Click **Test** to verify the connection, then click **Save** and **Apply**.
    

> [!NOTE]
> Commonly, the "UUID" attribute is entryUUID, however for LDAP providers where this is missing, another sensible unique persistent ID should be used. For Active Directory, this is usually called objectGUID.

<a id="ldap-role-mapping"></a>

### LDAP Role Mapping

User role membership can be defined by the identity provider or managed locally.

To use identity provider specified role membership, select **Defined by identity provider** in the **Role membership** section. Details on where to find roles and how they’re defined must be provided.

> [!NOTE]
> For most LDAP providers it’s common for the role object class to be `groupOfNames`, however for Active Directory this is usually `group`.

When using "Defined by Develocity" as the "Role membership" option, the default roles for users can be specified. Users will be assigned the default roles when they first sign in. Changing the default roles will change the role membership of users with default roles enabled. Administrators can change role membership for individual users after they have signed in for the first time, including whether the default roles should be enabled for the user.

Recursive group membership is supported, via an opt-in option.

<a id="technical-notes"></a>

## Technical Notes

*   **Account Conflicts:** You cannot sign in through an IdP if a local account exists with the same username or email address.
    
*   **Sign-out Behavior:** Signing out of Develocity doesn’t sign you out of your IdP.
    
*   **Role Sync:** Develocity updates IdP role membership when you sign in or when your session refreshes.
    

<a id="related-pages"></a>

## Related Pages

*   [System User](https://docs.gradle.com/develocity/2026.1/administration/access-control/system-user/)
    
*   [User Provisioning](https://docs.gradle.com/develocity/2026.1/administration/access-control/user-provisioning/)
    
*   [Permissions and Roles](https://docs.gradle.com/develocity/2026.1/administration/access-control/permissions-and-roles/)