- August 9, 2022: Added instructions for using multiple service providers.
- August 2, 2022: Published.
Refer to the following instructions to set up single sign-on (SSO) using SAML:
Configuring SAML Metadata
Bitsight SAML Service Provider (SP) Details
Configure your identity provider (IdP) based on the following details:
Field | Contents |
---|---|
Metadata URL: | https://service.bitsight.com/saml/metadata/ |
SAML Version: | 2.0 |
Entity ID: | https://service.bitsighttech.com/saml/metadata/ |
Assertion Consumer Service URL: | https://service.bitsighttech.com/saml/acs/ |
Consumer Service Binding: | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
Your SP-initiated (Service Provider-initiated) Login URL: | https://service.bitsight.com/sso/demo/ |
Configuring Multiple Providers
To configure multiple providers:
- Contact Bitsight Support to have the “Multiple SAML IdP” feature enabled.
- Disable the “Auto provision users” toggle.
Once the feature is enabled, you’ll be able to add alternate providers.
For SP-initiated (Service Provider-initiated) providers, each provider requires their own suffix so that a unique URL can be generated.
Attributes
The following attributes from your identity provider are required:
- 'mail' (Email Address)
- 'cn' (First Name)
- 'sn' (Last Name)
These attributes should be configured on your identity provider using one of the following naming conventions (SAML 1.1 or SAML 2.0).
SAML 1.1
Name | Name Format | Value |
---|---|---|
urn:mace:dir:attribute-def:cn | urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
First Name |
urn:mace:dir:attribute-def:sn | urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
Last Name |
urn:mace:dir:attribute-def:mail | urn:oasis:names:tc:SAML:2.0:attrname-format:basic |
Email |
SAML 2.0
Name | Name Format | Value |
---|---|---|
urn:oid:2.5.4.3 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
First Name |
urn:oid:2.5.4.4 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Last Name |
urn:oid:0.9.2342.19200300.100.1.3 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Email |
Optional SAML 2.0 Attributes
Additional attributes that can be specified:
Full Name
This can be specified in place of the last name field if the user’s name is not of the form, “Firstname Lastname.”
Name | Name Format | Value |
---|---|---|
urn:oid:2.16.840.1.113730.3.1.241 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
Full Name |
User Role
This specifies the user’s role in the Bitsight platform. This field is optional (in which case the user’s role will be a standard user role, or left unchanged). Otherwise, it must be one of these strings:
Ensure the string values are an exact match, including the spaces.
- Customer User
- Customer Admin
- Customer Group Admin
- Customer Portfolio Manager
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.2 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
User Role |
User Group
This specifies the user’s group. If the group does not already exist, it will be created (and will initially be empty). If this is not specified, then the default group is used.
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.1 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
User Group |
Enabling SAML
After you’ve submitted your SAML metadata, you can enable SAML by toggling the “Enable Configuration” option.
Once SAML is enabled:
- A URL appears at the top of the “Your SAML Login URL” page, which will contain either:
- An SP-initiated (Service Provider-initiated) URL by default.
- An IdP-initiated (Identity Provider-initiated) URL if a custom login URL is configured.
- Users will have to log in using the single sign-on (SSO) URL provided in the SAML page.
- A cookie is set each time a user first logs in.
- Once an Admin has successfully logged in using SAML, their password is disabled. Other Admins may keep accessing the platform with their credentials until they also log in via SAML.
- And the first time an admin successfully logs in, existing passwords are disabled for non-Admins.