In this article:
Will SSO “break” any access we currently have?
Once you enable SSO, the login page will only offer your users the ability to log in with SSO. Users will not have the option to log in by any means other than SSO going forward.
If you lose access, you can request SSO to be disabled by visiting the SecurityScorecard Support Portal
Does SecurityScorecard work in dual mode?
No, it does not work in dual mode. See preceding question.
Do you have a "test" SSO environment?
No, please follow the setup guide to test your SAML configuration prior to enabling for all users. There is no separate test environment, however.
Can I enable MFA or 2FA in my IdP and in My Settings> 2FA?
No, please only enable MFA on the IdP side or on SecurityScorecard, not in both places. If 2FA is enabled both in the IdP and in SecurityScorecard, a login "loop" will be observed.
What happens if I make a mistake configuring SSO/SAML?
After configuring SAML, we require you to successfully complete an initial test, using the Test SAML Login, before enabling SAML for all users on your account.
This prevents any mistakes that lock you out of your account. If further changes cause our SAML configuration and your own to get out of sync, SecurityScorecard will disable SSO for your account so that you can log back in and reconfigure it correctly. Reach out to your Customer Success Manager or submit a Support request to do this.
Do you support connections initiated by Service Providers (SPs) initiated or Identity Providers (IdPs)?
We support both SP- and IdP-initiated connections, but IdP will only work when SAML has been enabled for the entire organization.
What NameID format and value does your system require us to transmit? Where can I find that information?
NameID should be email, which is in the metadata file.
What claims (user data) should we send?
The only requirement is for NameID (Subject) to be the user’s email.
Optionally, if you provide “firstName” and “lastName”, those will get picked up with access requests. We create an access request automatically when a new user tries to log in to the SecurityScorecard through your SAML IdP. When that happens, admins in your account will be notified by email, and can deny or approve it. Approval will add the user to the list of Users in My Settings section, and will trigger a notification to the user that they can log into SecurityScorecard immediately.
How do I provision users with SSO?
All users still need to be in your SecurityScorecard Users list (See My Settings, Users.). But if a new user arrives through a SAML login, we automatically issue an access request that any admin on your SecurityScorecard account can deny or approve, giving the new user access from that moment.
I need a certificate from SecurityScorecard in .der, .cer, or .pem format—just the certificate, not the metadata file, and preferably .der. Where can I find this information?
The certificate is part of the SecurityScorecard SP metadata .xml file at https://platform-api.securityscorecard.io/v1/saml/metadata/service-provider.
Do you support SAML encryption?
No, SAML encryption is not supported. Sending an encrypted SAML response will make login fail.
Should the SecurityScorecard SAML signing certificate be CA-signed?
Can I upload multiple certificates of my identity provider (IdP)? Some SAML IdPs use this for certificate rotation.
Yes, the SAML configuration wizard, will detect all certificates on your SAML IdP .xml file. Or you can manually drag multiple files on the file upload.
I’m having trouble logging in. Can you help troubleshoot?
If you are using HTTP-POST
try switching to HTTP-REDIRECT
, which the SAML Configuration Wizard recommends for SAML Request Binding. We have detected that some IdPs have problems using HTTP-POST
.
What protocol version do you support?
SAML 2.0 only.
Do you support just-In-time (JIT) provisioning?
SecurityScorecard platform supports JIT to a certain extent. If you provide “firstName” and “lastName”, those will get picked up with Access Requests. An access request is something we create automatically when a new user tries to login to the SecurityScorecard through your SAML IdP. When that happens, admin users in your account will be notified by email, and can approve it.
Does the application use SAML 2.0 HTTP-POST Profile or SAML 2.0 HTTP Artifact Profile?
This is a configuration option. You can select POST
or GET
binding.
Does the application need an attribute service at the IdP?
No, it does not.
Does the application need assertions encrypted?
We do not support encryption.
Are SAML HTTP requests signed?
SecurityScorecard auth request can be signed, which is a configuration option. Your SAML IdP responses MUST be signed.
Does the application need both assertion and response to be signed, or only the assertion?
The assertion is part of the auth response, which must be signed.
Can the application redirect to IdP on logout?
This is not currently supported.
Can the application redirect to IdP on idle timeout?
This is not currently supported.
If the application does not support SAML, does it support any other SSO mechanism?
We also support Google single sign-on.
Is it possible to have multiple authentication types, both regular authentication and SAML SSO?
No, only one authentication type can be used for a scorecard account. It would be necessary to configure the IdP for the new user accounts to have access to the service provider SecurityScorecard, or to disable SSO for the SecurityScorecard account.