Getting started
Will SSO break any access we currently have?
Once you enable SSO, the login page only offers your users the option to log in with SSO. Users cannot log in by any other means going forward.
If you lose access, you can request SSO to be disabled by visiting the SecurityScorecard Support Portal.
Does SecurityScorecard work in dual mode?
No. Once SSO is enabled, all users must authenticate through SSO. See the preceding question for details.
Can I use both regular authentication and SAML SSO for different users?
Yes. In SSO Settings, select SSO enforced with an allowlist-based bypass. This lets you designate specific users who can authenticate using the traditional username-and-password method, while all other users authenticate via SSO.
To add bypass users, search for their email addresses in the allowlist and save the configuration.
Is it possible to have multiple authentication types for a single user?
No. Each user account supports only one authentication type at a time.
Do you have a test SSO environment?
No. There is no separate test environment. Before enabling SSO for all users, follow the setup guide to validate your SAML configuration using the Test SAML Login option.
What happens if I make a mistake configuring SSO/SAML?
We require you to complete a successful test login using Test SAML Login before SAML is enabled for all users. This prevents configuration mistakes from locking users out.
If a later change causes your SAML configuration to go out of sync with ours, we automatically disable SSO so you can log back in and reconfigure it. To request this, contact your Customer Success Manager or submit a support request.
Can I enable MFA or 2FA in both my IdP and in SecurityScorecard?
No. Enable MFA in only one place; either your IdP or SecurityScorecard, not both. Enabling 2FA in both places causes a login loop.
If SAML is not supported, does SecurityScorecard offer other SSO options?
Yes. We also support Google single sign-on.
Why am I getting an error when trying to set my password?
If your organization has SSO enabled, you cannot set a local password on the SecurityScorecard platform. You must authenticate through your organization's IdP instead.
For steps on how to log in, see Error when setting a password with SSO enabled.
User provisioning
How do I provision users with SSO?
All users must be in your SecurityScorecard Users list (go to My Settings > Users). When a new user attempts to log in through your SAML IdP for the first time, we automatically create an access request. Account admins are notified by email and can approve or deny it. Once approved, the user is added to your Users list and receives a notification to log in immediately.
Do you support just-in-time (JIT) provisioning?
We support JIT provisioning to a limited extent through access requests, as described above. If you include firstName and lastName attributes in your SAML assertion, those values are automatically picked up when the access request is created.
What claims (user data) should we send?
The only required claim is NameID (Subject), which must be the user's email address. Optionally, you can include firstName and lastName, which will be populated automatically when the access request is made.
What NameID format and value does your system require?
The NameID must be the user's email address. This is also specified in the metadata file.
Connections and protocol
Do you support SP-initiated or IdP-initiated connections?
We support both SP-initiated and IdP-initiated connections. Note that IdP-initiated login only works after SAML has been enabled for your entire organization.
What protocol version do you support?
We support SAML 2.0 only.
Does the application use SAML 2.0 HTTP-POST Profile or SAML 2.0 HTTP Artifact Profile?
This is a configuration option. You can select either POST or GET binding.
I'm having trouble logging in. Can you help troubleshoot?
If you are using HTTP-POST binding, try switching to HTTP-REDIRECT, which is what the SAML Configuration Wizard recommends for SAML Request Binding. We have found that some IdPs have issues with HTTP-POST.
Certificates and encryption
Do you support SAML encryption?
No. SAML encryption is not supported. Sending an encrypted SAML response causes login to fail.
Does the application need assertions encrypted?
No. We do not support encryption. See the preceding question.
Should the SecurityScorecard SAML signing certificate be CA-signed?
No, a CA-signed certificate is not required for SAML. Unlike TLS, SAML uses an explicit trust model. You exchange your public key directly with your federation partner, who installs and explicitly trusts it without relying on a third-party CA. Self-signed certificates work well for this purpose and can be issued with longer validity periods, reducing maintenance overhead.
For more details, see this article from PingIdentity.
Can I upload multiple IdP certificates for certificate rotation?
Yes. The SAML Configuration Wizard automatically detects all certificates in your IdP's XML metadata file. You can also manually drag and drop multiple certificate files into the file upload area.
Where can I find the SecurityScorecard certificate in .der, .cer, or .pem format?
The certificate is embedded in the SecurityScorecard SP metadata XML file, available at: https://platform-api.securityscorecard.io/v1/saml/metadata/service-provider
Signing and request configuration
Are SAML HTTP requests signed?
Signing SecurityScorecard's auth request is optional and configurable. However, your SAML IdP responses must be signed.
Does the application need both assertion and response signed, or only the assertion?
The assertion is part of the auth response, so signing the response covers the assertion. The response must be signed.
Does the application need an attribute service at the IdP?
No.
Why is the SSO settings section not visible after I enable SSO?
The SSO settings section only appears after you successfully test your SAML configuration. Click Test SAML Login to confirm your setup is working, then log back in using your SSO account. The section should then be visible.
Logout and session behavior
Can the application redirect to the IdP on logout?
This is not currently supported. Users are logged out of SecurityScorecard only and are not redirected to your IdP.
Can the application redirect to the IdP on idle timeout?
This is not currently supported. Session timeouts end the SecurityScorecard session only.