Configuring SAML Metadata
Bitsight SAML Service Provider (SP) Details
Configure your identity provider (IdP) based on the following details:
Field | Contents |
---|---|
Metadata URL: | https://service.bitsight.com/saml/metadata/ |
SAML Version: | 2.0 |
Entity ID: | https://service.bitsighttech.com/saml/metadata/ |
Assertion Consumer Service URL: | https://service.bitsighttech.com/saml/acs/ |
Consumer Service Binding: | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
Your SP-initiated (Service Provider-initiated) Login URL: | https://service.bitsight.com/sso/demo/ |
Configuring Multiple Providers
To configure multiple providers:
- Contact Bitsight Support to have the “Multiple SAML IdP” feature enabled.
- Disable the “Auto provision users” toggle.
Once the feature is enabled, you’ll be able to add alternate providers.
For SP-initiated (Service Provider-initiated) providers, each provider requires their own suffix so that a unique URL can be generated.
Required Attributes
The following attributes from your identity provider are required:
- 'mail' (Email Address)
- 'cn' (First Name)
- 'sn' (Last Name)
These attributes should be configured on your identity provider using one of the following naming conventions (SAML 1.1 or SAML 2.0).
SAML 1.1
Name | Name Format | Value |
---|---|---|
urn:mace:dir:attribute-def:cn | urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
First Name |
urn:mace:dir:attribute-def:sn | urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
Last Name |
urn:mace:dir:attribute-def:mail | urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
Email |
SAML 2.0
Name | Name Format | Value |
---|---|---|
urn:oid:2.5.4.3 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
First Name |
urn:oid:2.5.4.4 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Last Name |
urn:oid:0.9.2342.19200300.100.1.3 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Email |
Optional SAML 2.0 Attributes
Additional attributes that can be specified:
Full Name
This can be specified in place of the last name field if the user’s name is not of the form, “Firstname Lastname.”
Name | Name Format | Value |
---|---|---|
urn:oid:2.16.840.1.113730.3.1.241 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Full Name |
User Role
This specifies the user’s role in the Bitsight platform or their more specific role for the Bitsight VRM and Trust Management Hub (TMH) applications. This field is optional (in which case the user’s role will be a standard user role, or left unchanged). Otherwise, it must be one of these strings:
Ensure the string values are an exact match, including the spaces.
Bitsight platform roles:
- Customer User
- Customer Admin
- Customer Group Admin
- Customer Portfolio Manager
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.2 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
User Role |
VRM-TMH roles:
- Default Shared Roles
- VRM Admin
- VRM Operations
- VRM View Only
- Default VRM Roles
- VRM Internal Business User
- Default TMH Roles
- TMH Access Only Operations
- TMH Access Only Sales
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.4 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
VRM/TMH Role |
User Group
This specifies the user’s group. If the group does not already exist, it will be created (and will initially be empty). If this is not specified, then the default group is used.
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.1 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
User Group |
Enabling SAML
After you’ve submitted your SAML metadata, you can enable SAML by toggling the “Enable Configuration” option.
Once SAML is enabled:
- A URL appears at the top of the “Your SAML Login URL” page, which will contain either:
- An SP-initiated (Service Provider-initiated) URL by default.
- An IdP-initiated (Identity Provider-initiated) URL if a custom login URL is configured.
- Users will have to log in using the single sign-on (SSO) URL provided in the SAML page.
- A cookie is set each time a user first logs in.
- Once an Admin has successfully logged in using SAML, their password is disabled. Other Admins may keep accessing the platform with their credentials until they also log in via SAML.
- And the first time an admin successfully logs in, existing passwords are disabled for non-Admins.
- January 7, 2025: Incorporated TMH/VRM user roles into optional SAML 2.0 attributes.
- August 9, 2022: Added instructions for using multiple service providers.
- August 2, 2022: Published.
Feedback
0 comments
Please sign in to leave a comment.