Skip to content

Bitbucket Data Center (Workload Identity Federation)

Management → Accounts & Integrations → Add New Account (top right) → Bitbucket → Workload Identity Federation


Overview

The Bitbucket Data Center (Workload Identity Federation) integration connects SailPoint Entro to your on-premises Bitbucket Server or Data Center instance for continuous secret scanning.

This method uses a federated authentication token (HTTP Auth token) instead of an App Password or API token, ensuring secure, scoped, and revocable access for self-hosted Bitbucket environments.


  1. Verify Connectivity

    1. Ensure your Bitbucket Data Center instance is reachable from SailPoint Entro’s deployed Connector.

    2. Confirm that outbound HTTPS traffic to your Bitbucket domain (e.g., https://bitbucket.organization.com:7990) is allowed.

    3. If the instance is behind a firewall, allowlist your SailPoint Entro Connector IP or internal routing path.

  2. Generate a Bitbucket HTTP Auth Token

    1. Log in to your Bitbucket Data Center as an admin user.

    2. Navigate to Administration → Access Management → Personal Access Tokens.

    3. Click Create personal access token.

    4. Assign the following read-only scopes:

    Category Permission
    Projects Read
    Repositories Read
    Pull requests Read
    Webhooks Read
    Users Read
    1. Click Create and copy the generated token (for example: BBDC-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX).

    2. Store it securely - it will be entered in the SailPoint Entro form.

  3. Connect to SailPoint Entro

    In the SailPoint Entro Console, go to: Management → Accounts & Integrations → Add New Account → Bitbucket

    Select Workload Identity Federation (Bitbucket Data Center), then complete the form:

    Field Description
    Environment Type Choose the applicable environment (Production / Staging)
    Company Nickname Any name to identify this integration
    Bitbucket Data Center Server (Hostname / IP) Example: http://bitbucket.organization.com:7990
    Bitbucket HTTP Auth Token Paste the personal access token created in Step 2
    Worker Group (Connector) Select the Connector that has network access to Bitbucket

    Finally, click Create Account.

  4. Verify Integration

    After saving:

    1. Navigate to Integrations → Bitbucket in SailPoint Entro.

    2. Confirm the integration status is shown as Active.

    3. Repositories from your on-prem Bitbucket instance should appear in the SailPoint Entro workspace.

    4. Check the Last Synchronization timestamp.

      You have successfully onboarded your Bitbucket Data Center instance via Workload Identity Federation.


Security & Compliance

  • Authentication uses scoped HTTP Auth tokens with read-only access.

  • No passwords or API keys are stored in SailPoint Entro.

  • Communication between the SailPoint Entro Connector and Bitbucket is encrypted via TLS 1.2+.

  • SailPoint Entro adheres to SOC 2 Type II, ISO 27001, and GDPR standards.

Note

Tokens can be revoked at any time from your Bitbucket Data Center admin console