Skip to main content

SAML 2.0

Use the SAML 2.0 integration to configure single sign-on for your Demisto users, using your organization's identity provider (IdP).

If your IdP is Okta or ADFS refer to the relevant article.

What is SAML 2.0?#

This definition of SAML 2.0 is taken from the SAML 2.0 page in Wikipedia.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for
exchanging authentication and authorization data between security domains. SAML 2.0 is an
XML-based protocol that uses security tokens containing assertions to pass information
about a principal (usually an end user) between a SAML authority, named an Identity
Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based
authentication and authorization scenarios including cross-domain single sign-on (SSO),
which helps reduce the administrative overhead of distributing multiple authentication
tokens to the user.

Configure SAML 2.0 with your IdP#

When you configure SAML 2.0, you need to map several attributes from your IdP to Demisto fields. You need to populate the attribute fields in Demisto exactly as they appear in your IdP. For example, if the email attribute in your IdP is email.address, this is the value you need to provide in the Attribute to get email parameter in the SAML 2.0 integration in Demisto.

IMPORTANT: It is important that you provide values for all parameters. If you skip parameters, the Demisto user that is created will not contain important attributes and information, and will require you to manually assign a Demisto role to the user that is created.

AttributeDescription
NameA meaningful name for the integration instance.
Service Provider Entity IDAlso known as an ACS URL. This is the URL of your Demisto server, for example: https://yourcompany.yourdomain.com/saml
IdP metadata URLURL of your organization's IdP metadata file.
IdP metadata fileYour organization's IdP metadata file .
IdP SSO URLURL of the IdP application that corresponds to Demisto.
Attribute to get usernameAttribute in your IdP for the user name.
Attribute to get emailAttribute in your IdP for the user's email address.
Attribute to get first nameAttribute in your IdP for the user's first name.
Attribute to get last nameAttribute in your IdP for the user's last name.
Attribute to get phoneAttribute in your IdP for the user's phone number.
Attribute to get groupsAttribute in your IdP for the groups of which the user is a member.
Groups delimiterGroups list separator.
Default roleRole to assign to the user when they are not a member of any group.
RelayStateOnly used by certain IdPs. If your IdP uses relay state, you need to supply the relay state.
Sign request and verify response signatureMethod for the IdP to verify the user sign-in request using the IdP vendor certificate.
Identity Provider public certificatePublic certificate for your IdP .
Identity Provider private keyPrivate key for your IdP, in PEM format (required for single logout) .
Identity Provider Single Logout URLURL that users are sent to after logging out of the SAML session.
Single Logout Service EndpointLogout service with which SAML communicates.
Do not map SAML groups to Demisto rolesSAML groups will not be mapped to Demisto roles