Skip to content
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
Go Other
  1. Go 99.0%
  2. Other 1.0%
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci sso_proxy: add test for websockets and update docs Oct 8, 2019
.codecov ci: set overall test coverage threshold to 2% Jun 25, 2019
.github release-drafter: add release template and configs Oct 10, 2019
cmd cmd: ensure http servers shut down gracefully Nov 4, 2019
docs cmd: ensure http servers shut down gracefully Nov 4, 2019
scripts sso_*: 2.1.0 release Oct 14, 2019
.gitignore Don't check in the dist/ directory created by make Sep 18, 2018 CONTRIBUTING: added merge policy language Nov 16, 2018
Dockerfile sso: update go modules (#273) Dec 9, 2019
LICENSE sso: init commit Aug 22, 2018
Makefile sso: update go modules (#273) Dec 9, 2019 Create Aug 24, 2018 sso: add codecov badge to readme Jun 25, 2019
go.mod sso: update go modules (#273) Dec 9, 2019
go.sum sso: update go modules (#273) Dec 9, 2019


See our launch blog post for more information!

CircleCI MIT license Docker Automated build

Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!

sso — lovingly known as the S.S. Octopus or octoboi — is the authentication and authorization system BuzzFeed developed to provide a secure, single sign-on experience for access to the many internal web apps used by our employees.

It depends on Google as its authoritative OAuth2 provider, and authenticates users against a specific email domain. Further authorization based on Google Group membership can be required on a per-upstream basis.

The main idea behind sso is a "double OAuth2" flow, where sso-auth is the OAuth2 provider for sso-proxy and Google is the OAuth2 provider for sso-auth.

sso is built on top of Bitly’s open source oauth2_proxy

In a nutshell:

  • If a user visits an sso-proxy-protected service ( and does not have a session cookie, they are redirected to sso-auth (
    • If the user does not have a session cookie for sso-auth, they are prompted to log in via the usual Google OAuth2 flow, and then redirected back to sso-proxy where they will now be logged in (to
    • If the user does have a session cookie for sso-auth (e.g. they have already logged into, they are transparently redirected back to proxy where they will be logged in, without needing to go through the Google OAuth2 flow
  • sso-proxy transparently re-validates & refreshes the user's session with sso-auth



Follow our Quickstart guide to spin up a local deployment of sso to get a feel for how it works!

Code of Conduct

Help us keep sso open and inclusive. Please read and follow our Code of Conduct.


Contributions to sso are welcome! Please follow our contribution guideline.


Please file any issues you find in our issue tracker.

Security Vulns

If you come across any security vulnerabilities with the sso repo or software, please email In your email, please request access to our bug bounty program so we can compensate you for any valid issues reported.


sso is actively maintained by the BuzzFeed Infrastructure teams.

Notable forks

  • pomerium an identity-access proxy, inspired by BeyondCorp.
You can’t perform that action at this time.