Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

SAML Setup

Avatar
Ingrid
Follow
  • August 9, 2022: Added instructions for using multiple service providers.
  • August 2, 2022: Published.

Refer to the following instructions to set up single sign-on (SSO) using SAML:

Navigation Options

Available in the Settings option at the top-right.

SPM App: SAML

CM App: SAML

Insurance App: SAML

National Cybersecurity: SAML

Only Admin can configure SAML. See user permissions.

Configuring SAML Metadata

Bitsight SAML Service Provider (SP) Details

Configure your identity provider (IdP) based on the following details:

Field Contents
Metadata URL: https://service.bitsight.com/saml/metadata/
SAML Version: 2.0
Entity ID: https://service.bitsighttech.com/saml/metadata/
Assertion Consumer Service URL: https://service.bitsighttech.com/saml/acs/
Consumer Service Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Your SP-initiated (Service Provider-initiated) Login URL: https://service.bitsight.com/sso/demo/

Configuring Multiple Providers

To configure multiple providers:

  1. Contact Bitsight Support to have the “Multiple SAML IdP” feature enabled.
  2. Disable the “Auto provision users” toggle.

Once the feature is enabled, you’ll be able to add alternate providers.

For SP-initiated (Service Provider-initiated) providers, each provider requires their own suffix so that a unique URL can be generated.

Attributes

The following attributes from your identity provider are required:

  • 'mail' (Email Address)
  • 'cn' (First Name)
  • 'sn' (Last Name)

These attributes should be configured on your identity provider using one of the following naming conventions (SAML 1.1 or SAML 2.0).

SAML 1.1

Name Name Format Value
urn:mace:dir:attribute-def:cn urn:oasis:names:tc:SAML:2.0:attrname-format:basic First Name
urn:mace:dir:attribute-def:sn urn:oasis:names:tc:SAML:2.0:attrname-format:basic Last Name
urn:mace:dir:attribute-def:mail urn:oasis:names:tc:SAML:2.0:attrname-format:basic Email

SAML 2.0

Name Name Format Value
urn:oid:2.5.4.3 urn:oasis:names:tc:SAML:2.0:attrname-format:uri First Name
urn:oid:2.5.4.4 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Last Name
urn:oid:0.9.2342.19200300.100.1.3 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Email

Optional SAML 2.0 Attributes

Additional attributes that can be specified:

Full Name

This can be specified in place of the last name field if the user’s name is not of the form, “Firstname Lastname.”

Name Name Format Value
urn:oid:2.16.840.1.113730.3.1.241 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Full Name
User Role

This specifies the user’s role in the Bitsight platform. This field is optional (in which case the user’s role will be a standard user role, or left unchanged). Otherwise, it must be one of these strings:

Ensure the string values are an exact match, including the spaces.

  • Customer User
  • Customer Admin
  • Customer Group Admin
  • Customer Portfolio Manager
Name Name Format Value
urn:oid:1.3.6.1.4.1.50993.1.1.2 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Role
User Group

This specifies the user’s group. If the group does not already exist, it will be created (and will initially be empty). If this is not specified, then the default group is used.

Name Name Format Value
urn:oid:1.3.6.1.4.1.50993.1.1.1 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Group

Enabling SAML

After you’ve submitted your SAML metadata, you can enable SAML by toggling the “Enable Configuration” option.

Once SAML is enabled:

  • A URL appears at the top of the “Your SAML Login URL” page, which will contain either:
    • An SP-initiated (Service Provider-initiated) URL by default.
    • An IdP-initiated (Identity Provider-initiated) URL if a custom login URL is configured.
  • Users will have to log in using the single sign-on (SSO) URL provided in the SAML page.
  • A cookie is set each time a user first logs in.
  • Once an Admin has successfully logged in using SAML, their password is disabled. Other Admins may keep accessing the platform with their credentials until they also log in via SAML.
  • And the first time an admin successfully logs in, existing passwords are disabled for non-Admins.

Related articles