Support
Single Sign-On Providers

Configuring SAML-Based Single Sign-On Integration

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

SAML (Security Assertion Markup Language) is a markup language designed for exchanging authentication information between the user, the identity provider, and the service provider. 

  • SAML provides a standard for interoperability in identity management systems and technologies so that SSO can be extended across security domains.
  • Setup instructions may vary by identity provider (IdP). Invicti Enterprise supports the SAML methods both IdP initiated and SP initiated. 
  • You can also create a new user in Invicti Enterprise with the Enable Auto Provisioning option.

If you encounter any problem while setting up SSO integration, see Troubleshooting SSO Issues.

You have to use IdP-initiated SSO if you want to utilize Auto Provisioning.
If you will use SP-initiated SSO, please set the Name ID Format value to email address on the IdP side.

Single Sign-On Fields

This table lists and explains the Single Sign-On fields in the Configure Single Sign-On window.

Field Description
Enable Select this option to enable the single sign-on feature.
Enforce to authenticate only with single sign-on Enable this option so only administrator users can authenticate without single sign-on. Users can only sign in to Invicti Enterprise by using the email address that belongs to their employer.
IdP Identifier This is the SAML identity provider’s Identifier value.
SAML 2.0 Service URL This is the Consumer URL value (also called the SSO Endpoint or Recipient URL).
SAML 2.0 Endpoint This is the URL from your IdP's SSO Endpoint field.
X.509 Certificate This is the X.509 certificate value.

How to Configure SAML-Based Single Sign-On Integration
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Settings > Single Sign-On
  3. Select the SAMLv2.0 tab.

  1. If your IdP (Identity Provider) requires you to specify a SAML Identifier for Invicti Enterprise (it may also be referred to as the Audience or Target URL), use the value of the Identifier field.
  2. If your IdP requires you to specify a Consumer URL (it may also be referred to as the  SSO Endpoint or Recipient URL), use the value of the SAML 2.0 Service URL field.
  3. Retrieve the URL from your IdP's IdP Identifier field and paste it into Invicti’s IdP Identifier field.
  4. Retrieve the URL from your IdP's SSO Endpoint field and paste it into Invicti’s SAML 2.0 Endpoint field.
  5. Export your X.509 certificate, copy its content, and paste the certificate value into Invicti’s X.509 Certificate field.
  6. If Enable Auto Provisioning is enabled, you should enter the FirstName, LastName, and Phone Number (optional) fields in the Attribute Statements (Mapping). For further information about OnlySsoLogin, see Provisioning a member.

  1. If Require SAML assertions to be encrypted is selected, you can select I have an existing certificate to import a decryption certificate from your files.

  1. Enable the Use Alternate Login Email, if required. If enabled, this lets users use alternative email for SSO. So, you can enter an alternative email on the New Member Invitation page and while editing the user's details on the Team page.
  2. Select Save Changes.