SAML SSO Configuration

Introduction

Triage Private Cloud supports SAML authentication to enable SSO for your organization. This document describes the steps required to enable SAML authentication.

Only Service Provider (SP) initiated SSO is supported. IdP initiated SSO will fail.

1. Request SAML SSO

Contact support@recordedfuture.com mentioning:

  • Your Identity Provider (IdP) (e.g. Okta, Azure, Google)
  • Which (if any) email domains you would like automatically redirected to your SSO ( like: @recordedfuture.com,@hatching.io)

Support will then provide you:

  • Single Sign-on (ACS) URL
    https://private.tria.ge/sso/<unique identifier>/saml/acs
  • Service Provider Entity ID URL
    https://private.tria.ge/sso/<unique identifier>/saml/metadata
  • SSO start URL
    https://private.tria.ge/login/saml/<unique identifier>

These URLs are required to set up SAML in your Identity Provider (IdP).

2. Add Sandbox to your Identity Provider (IdP)

Configure SAML in your IdP with the provided unique ACS and Entity ID URLs. Configure the app registration to send the following attributes.

Required attributes

Attribute name Description
email User Email. Will also be used to link IdP account to pre-existing user in Sandbox.

Optional attributes

Attribute name Description
displayname Name displayed in Sandbox
or
firstname First name
lastname Last name
sandbox_role Role for user (like: org_advanced). See role matrix for more info

Triage supports SAML SSO through Okta, Google and Azure. Be sure to let us know if you require other identity providers.

IdP specific setup guides:

3. Share your SAML IdP Metadata file

Share your XML file with Support(support@recordedfuture.com) via a file attachment or link. Support will send out a notification once SAML has been configured for testing. username+password logins will continue to work.

4. Test logging in through SSO

Support will provide you an SSO start URL (example: https://private.tria.ge/login/saml/<unique identifier>) which can be used to initiate SSO directly. Test signing in with a user by navigating to this URL.

Reach out to Support(support@recordedfuture.com) to let them know SAML is configured correctly.

Finally

Support will disable username+password login. Existing users will be automatically redirected to SSO. New users signing in with provided email domains or users navigating to the SSO start URL will be redirected to SSO.