Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

SAML Setup

Ingrid

Refer to the following instructions to set up single sign-on (SSO) using SAML [settings.png Settings ➔ SAML]:

Only Admin can configure SAML. See user permissions.

Configuring SAML Metadata

Bitsight SAML Service Provider (SP) Details

Configure your identity provider (IdP) based on the following details:

Field Contents
Metadata URL: https://service.bitsight.com/saml/metadata/
SAML Version: 2.0
Entity ID: https://service.bitsighttech.com/saml/metadata/
Assertion Consumer Service URL: https://service.bitsighttech.com/saml/acs/
Consumer Service Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Your SP-initiated (Service Provider-initiated) Login URL: https://service.bitsight.com/sso/demo/

Configuring Multiple Providers

To configure multiple providers:

  1. Contact Bitsight Support to have the “Multiple SAML IdP” feature enabled.
  2. Disable the “Auto provision users” toggle.

Once the feature is enabled, you’ll be able to add alternate providers.

For SP-initiated (Service Provider-initiated) providers, each provider requires their own suffix so that a unique URL can be generated.

Required Attributes

The following attributes from your identity provider are required:

  • 'mail' (Email Address)
  • 'cn' (First Name)
  • 'sn' (Last Name)

These attributes should be configured on your identity provider using one of the following naming conventions (SAML 1.1 or SAML 2.0).

SAML 1.1

Name Name Format Value
urn:mace:dir:attribute-def:cn urn:oasis:names:tc:SAML:2.0:attrname-format:basic First Name
urn:mace:dir:attribute-def:sn urn:oasis:names:tc:SAML:2.0:attrname-format:basic Last Name
urn:mace:dir:attribute-def:mail urn:oasis:names:tc:SAML:2.0:attrname-format:basic Email

SAML 2.0

Name Name Format Value
urn:oid:2.5.4.3 urn:oasis:names:tc:SAML:2.0:attrname-format:uri First Name
urn:oid:2.5.4.4 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Last Name
urn:oid:0.9.2342.19200300.100.1.3 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Email

Optional SAML 2.0 Attributes

Additional attributes that can be specified:

Full Name

This can be specified in place of the last name field if the user’s name is not of the form, “Firstname Lastname.”

Name Name Format Value
urn:oid:2.16.840.1.113730.3.1.241 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Full Name

User Role

This specifies the user’s role in the Bitsight platform or their more specific role for the Bitsight VRM and Trust Management Hub (TMH) applications. This field is optional (in which case the user’s role will be a standard user role, or left unchanged). Otherwise, it must be one of these strings:

Ensure the string values are an exact match, including the spaces.

Bitsight platform roles:
  • Customer User
  • Customer Admin
  • Customer Group Admin
  • Customer Portfolio Manager
Name Name Format Value
urn:oid:1.3.6.1.4.1.50993.1.1.2 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Role
VRM-TMH roles:
  • Default Shared Roles
    • VRM Admin
    • VRM Operations
    • VRM View Only
  • Default VRM Roles
    • None
    • VRM Internal Business User
  • Default TMH Roles
    • TMH Access Only Operations
    • TMH Access Only Sales
Name Name Format Value
urn:oid:1.3.6.1.4.1.50993.1.1.4 urn:oasis:names:tc:SAML:2.0:attrname-format:uri VRM/TMH Role

User Group

This specifies the user’s group. If the group does not already exist, it will be created (and will initially be empty). If this is not specified, then the default group is used.

Name Name Format Value
urn:oid:1.3.6.1.4.1.50993.1.1.1 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Group

Enabling SAML

After you’ve submitted your SAML metadata, you can enable SAML by toggling the “Enable Configuration” option.

Once SAML is enabled:

  • A URL appears at the top of the “Your SAML Login URL” page, which will contain either:
    • An SP-initiated (Service Provider-initiated) URL by default.
    • An IdP-initiated (Identity Provider-initiated) URL if a custom login URL is configured.
  • Users will have to log in using the single sign-on (SSO) URL provided in the SAML page.
  • A cookie is set each time a user first logs in.
  • Once an Admin has successfully logged in using SAML, their password is disabled. Other Admins may keep accessing the platform with their credentials until they also log in via SAML.
  • And the first time an admin successfully logs in, existing passwords are disabled for non-Admins.
  • January 7, 2025: Incorporated TMH/VRM user roles into optional SAML 2.0 attributes.
  • August 9, 2022: Added instructions for using multiple service providers.
  • August 2, 2022: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.