SAML Setup
SAML stands for Security Assertion Markup Language. It is an XML-based standard for exchanging authentication and authorization data between parties, in particular, between an identity provider (IdP) and a service provider (SP).
SAML enables single sign-on (SSO) by allowing users to authenticate themselves once and access multiple services without the need to log in again for each one. SAML achieves this by exchanging digitally signed XML documents, called SAML assertions, between the IdP and SP.
When a user tries to access a resource on a service provider, the SP redirects the user to the identity provider for authentication. The IdP then verifies the user's identity and generates a SAML assertion that includes information about the user's identity and attributes. The IdP signs the assertion using its private key to ensure its authenticity and sends it back to the SP. The SP then verifies the signature using the IdP's public key and grants access to the requested resource.
Plextrac allows the use of any SAML Identity Provider for logging into the application. Multiple providers can be configured for each tenant and managed per user. For example, one user could log in with Google while another uses Okta.
This authentication method is only valid for the UI and not for authenticating with the PlexTrac API.
SAML requires the following environment variables to be set in the PlexTrac docker to compose file:
- PROVIDER_CODE_KEY - some secure signing key - set by default in the latest version
- CLIENT_DOMAIN_NAME - the domain name you are hosting on, such as
app.plextrac.com. Do not includeHTTP(s)://.
Users need an account with Plextrac before being authorized to use an alternative sign-on method.
The user's email in Plextrac needs to be the same as the email the user will authenticate with through the third-party tool.
Step 1: From the Admin Dashboard, click Security, and then Authentication Methods.
Step 2: Click the SAML Providers tab.
Step 3: Click Create New SAML Provider.
Step 4: Enter the information obtained through the provider setup in the appropriate fields.
- 1.Provider Name: Identifies the service provider used, such as Okta. This entity acts as an identity or service provider within the SAML authentication and authorization framework.
- 2.Allow IDP Initiated SSO: Identifies if a user can initiate SSO with the provider first without visiting PlexTrac. This is an authentication process in which the user's interaction begins with the identity provider rather than the service provider.
- 3.Identity Provider Single Sign-On URL: Identifies the specific endpoint provided by the IdP that is used to initiate the SAML authentication process during SSO. When a user attempts to access a service provider application, they are redirected to the IdP SSO URL to authenticate themselves.
- 4.Provider Issuer URL: Identifies the provider issuer URL. The IdP uses the service provider's Issuer URL to determine which metadata and configurations to use when processing authentication requests.The Issuer URL is typically a URL or a URN (Uniform Resource Name) that uniquely identifies the SAML entity. For example:
- Identity Provider Issuer URL:
https://karbo.okta.com/example - Provider Issuer URL:
http://www.okta.com/example
- 5.X.509 Certificate: Location to paste the certificate. An X.509 certificate is a digital document adhering to the X.509 standard, governing the structure of public key certificates. X.509 certificates validate identities, ensuring secure communication via encryption.
- 6.Enabled: A toggle to turn the SAML configuration on or off.
Step 5: Click Create when finished.
The new setup is listed on the SAML Providers tab.
When an individual chooses not to utilize IDP Initiated SSO and has activated JIT, they should deactivate JIT User Provisioning before disabling IDP Initiated SSO.
Step 1: If using IDP-initiated SSO, toggle on “Allow IDP Initiated SSO.”
Step 2: Enter the identity provider origin URL.
Step 3: Toggle on “JIT User Provisioning.”
Step 4: Select the desired default role for newly created users, the default classification level (if applicable), and if any users provisioned via this SAML Provider are assigned to the Default Group.
Step 5: Click Save (if updating an existing configuration) or Create when finished.
Last modified 1mo ago