Skip to content
  • There are no suggestions because the search field is empty.

How do I set up Single Sign-On?

Single Sign-On (SSO) enables an account to log in to your Security Center using an identity provider (IDP) that supports SAML 2.0, such as Azure AD, Okta, or OneLogin.

This allows the account to use a centralized user management system, so users do not need to exist in your Security Center to access the account.

New users can easily be assigned to your Security Center from the IDP, and the security authentication process can be enhanced with MFA/2FA of any sort, as it conforms to what the IDP supports. 

How Single Sign-On works with SAML 2.0

Security Assertion Markup Language (SAML) is a standard protocol that enables identity providers (IDPs) to securely convey to a service provider (SP), in this case, Holm Security, who a user is. It does this by sharing a cryptographically signed XML document with your Security Center, confirming a user's identity, and providing some meta-information about the user.

When it is configured, a user can authenticate with the following steps:

  1. The user navigates to their Security Center SSO login URL.
  2. Security Center validates the URL, and the user's browser will be redirected to the configured IDP.
  3. The identity provider authenticates the user according to the IDP authentication process.
  4. Once authenticated, the browser is redirected to their Security Center with a SAML assertion.
  5. Security Center verifies the SAML assertion (and can provision a new user if needed).
  6. The user is granted access to their Security Center.
  7. User can now access their Security Center account.

Enable Single Sign-On using SAML 2.0

Access the Single Sign-On (SSO) configuration:

  1. Opening the top right menu inside your Security Center.
  2. Click on Account Settings.
  3. Select the Single Sign-On section.

To get started, apply a descriptive name for the configuration, e.g., Example Organization Azure AD, and then click Enabled.

When enabling Single Sign-On (SSO) on your account, it is important to remember the following: 

  • A unique login link connected to your Security Center account is created for SSO authentication. This unique login link should be bookmarked, as it is the path to your account using SSO.
  • Users can now log in to your account via your IDP (when properly configured).
  • Local users who have been converted can only log in via SSO.
  • An SSO user has a higher priority over a local Security Center user, meaning that if an SSO user is signing in, it will convert any existing matching username to an SSO user. 
  • The primary superuser in the Security Center can not be converted to an SSO user.

Configure Single Sign-On with SAML 2.0

Each IDP treats SAML 2.0 slightly differently; even though it is a standard, implementations will vary. To support this over several vendors, Security Center provides three options to configure it:

  1. Metadata URL
    Provide a publicly accessible URL with the IDP metadata.
  2. Metadata file
    Upload the IDP metadata file.
  3. Manual settings
    Apply the IDP settings manual.

All of this information is coming from the IDP. The Metadata URL is the easiest way to get started, as it provides the URL from the IDP.  Ensure you are logged in to the IDP in the same browser as your Security Center when using the Metadata URL. Otherwise, it will result in an access error and a failure to fetch the data.

Some IDPs only allow you to download the metadata file; this is where uploading it to your Security Center comes in handy.

In rare cases, you need to provide the settings manually, which requires you to get the following information from the IDP:

  1. IDP login URL 
  2. IDP entity ID/Metadata URL
  3. IDP Certificate
    String representation of the IDP certificate that you paste into this field.

Security Center SAML 2.0 configuration

The identity provider requires specific data from Security Center to be configured properly. This data can be found in the following fields and needs to be configured and saved in the IDP for SSO to work properly:

  1. Customer login URL
    The URL users use to log in to Security Center, and the IDP to which they are redirected after authentication.
  2. Login callback URL
    Security Center SAML callback URL.
  3. Metadata URL
    Security Center SAML metadata URL.
  4. Certificate
    It can be copied or downloaded as a CRT-formatted certificate.

User attribute mapping

Security Center automatically maps IDP aliases to user attributes in your Security Center account. This is handy for providing more information about the user who will be present in your Security Center.

Below is a description of which attributes are supported, which are required, and which aliases in the IDP we are looking for to retrieve the attribute's value.

Attribute: Required: IDP Aliases supported (case-insensitive):
First Name False first_name, firstName, firstname, First_Name, FirstName
Last Name False last_name, lastName, lastname, Last_Name, LastName, surname, surName
Email True email, emailAddress, loginAddress, email_address, login_address, EmailAddress
Phone Number False phone, phoneNumber, phone_number, PhoneNumber
Role False user_role, userRole
Name ID True Okta/Onelogin: Persistent
Azure (Unique User Identifier): user.userprincipalname 

The Role of the user can be mapped to your Security Center Superuser role by using one of these values (case insensitive):

  • holm_superuser
  • holm-superuser