SAML Setup Ingrid Refer to the following instructions to set up single sign-on (SSO) using SAML [ Settings ➔ SAML]: Configuring SAML Metadata Service Provider Details Configuring Multiple Providers Required Attributes Optional SAML 2.0 Attributes Enabling SAML Only Admin can configure SAML. See user permissions. Configuring SAML Metadata Bitsight SAML Service Provider (SP) Details Configure your identity provider (IdP) based on the following details: Field Contents Metadata URL: https://service.bitsight.com/saml/metadata/ SAML Version: 2.0 Entity ID: https://service.bitsighttech.com/saml/metadata/ Assertion Consumer Service URL: https://service.bitsighttech.com/saml/acs/ Consumer Service Binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST Your SP-initiated (Service Provider-initiated) Login URL: https://service.bitsight.com/sso/demo/ Configuring Multiple Providers To configure multiple providers: Contact Bitsight Support to have the “Multiple SAML IdP” feature enabled. Disable the “Auto provision users” toggle. Once the feature is enabled, you’ll be able to add alternate providers. For SP-initiated (Service Provider-initiated) providers, each provider requires their own suffix so that a unique URL can be generated. Required Attributes The following attributes from your identity provider are required: 'mail' (Email Address) 'cn' (First Name) 'sn' (Last Name) These attributes should be configured on your identity provider using one of the following naming conventions (SAML 1.1 or SAML 2.0). SAML 1.1 Name Name Format Value urn:mace:dir:attribute-def:cn urn:oasis:names:tc:SAML:2.0:attrname-format:basic First Name urn:mace:dir:attribute-def:sn urn:oasis:names:tc:SAML:2.0:attrname-format:basic Last Name urn:mace:dir:attribute-def:mail urn:oasis:names:tc:SAML:2.0:attrname-format:basic Email SAML 2.0 Name Name Format Value urn:oid:2.5.4.3 urn:oasis:names:tc:SAML:2.0:attrname-format:uri First Name urn:oid:2.5.4.4 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Last Name urn:oid:0.9.2342.19200300.100.1.3 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Email Optional SAML 2.0 Attributes Additional attributes that can be specified: Full Name User Role User Group Full Name This can be specified in place of the last name field if the user’s name is not of the form, “Firstname Lastname.” Name Name Format Value urn:oid:2.16.840.1.113730.3.1.241 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Full Name User Role This specifies the user’s role in the Bitsight platform or their more specific role for the Bitsight VRM and Trust Management Hub (TMH) applications. This field is optional (in which case the user’s role will be a standard user role, or left unchanged). Otherwise, it must be one of these strings: Notes: Bitsight platform and VRM-TMH roles cannot both be set to none. This will result users not being able to access the Bitsight platform. The string value must be an exact spacing match. It is not case-sensitive. Bitsight platform roles: Customer User Customer Admin Customer Group Admin Customer Portfolio Manager None Name Name Format Value urn:oid:1.3.6.1.4.1.50993.1.1.2 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Role VRM-TMH roles: Default Shared Roles VRM Admin VRM Operations VRM View Only None Default VRM Roles VRM Internal Business User Default TMH Roles TMH Access Only Operations TMH Access Only Sales Name Name Format Value urn:oid:1.3.6.1.4.1.50993.1.1.4 urn:oasis:names:tc:SAML:2.0:attrname-format:uri VRM/TMH Role User Group This specifies the user’s group. If the group does not already exist, it will be created (and will initially be empty). If this is not specified, then the default group is used. Name Name Format Value urn:oid:1.3.6.1.4.1.50993.1.1.1 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Group Enabling SAML After you’ve submitted your SAML metadata, you can enable SAML by toggling the “Enable Configuration” option. Once SAML is enabled: A URL appears at the top of the “Your SAML Login URL” page, which will contain either: An SP-initiated (Service Provider-initiated) URL by default. An IdP-initiated (Identity Provider-initiated) URL if a custom login URL is configured. Users will have to log in using the single sign-on (SSO) URL provided in the SAML page. A cookie is set each time a user first logs in. Once an Admin has successfully logged in using SAML, their password is disabled. Other Admins may keep accessing the platform with their credentials until they also log in via SAML. And the first time an admin successfully logs in, existing passwords are disabled for non-Admins. June 5, 2025: none user roles. January 7, 2025: Incorporated TMH/VRM user roles into optional SAML 2.0 attributes. August 9, 2022: Added instructions for using multiple service providers. Related articles SAML Configuring SAML Apps Setting a Custom Login URL with SAML Integrating Bitsight with ADFS Replacing and Updating Your SAML Certificate Feedback 0 comments Please sign in to leave a comment.