![Hyperproof.Io [Test] Help Center](https://downloads.intercomcdn.com/i/o/xgk1dxp2/757668/427b255f2659cc7e0853d6a00ec1/628914ae2617199b7d999ba797a5305a.png)
👥 Roles and permissions
Only administrators can enable SSO for the organization
Hyperproof Gov supports single sign-on (SSO) with identity providers that are SAML 2.0 compliant. Once SSO is enabled for your organization, Hyperproof Gov users will be able to log in with credentials that are stored and managed by the identity provider, using a custom URL that is specific to your organization.
If your organization is in Hyperproof Gov, an example of a custom URL is: https://luna.hyperproofgov.app
Before you can configure the generic SAML option, Hyperproof Support needs to provision a subdomain. To get your subdomain, create a support request asking for SSO setup. In the example above, the subdomain is luna.
📝 Note
To complete this process, you must open a support case with Hyperproof Support and request the Sign request certificate required after completing Step Two: Configuring a generic SAML identity provider in your Hyperproof Gov organization.
📝 Note
If the domain is a .com address, the subdomain is set as the domain without the .com suffix.
If the domain is not a .com address, the subdomain is set as the domain name without the period.
Examples
Domain name | Subdomain |
acme | |
lunabtechnologies | |
techstartupio | |
whitehousegov |
📝 Note
If you have SSO enabled and you invite someone to your organization whose email address is not part of your SSO domain, such as external auditors or contractors, they can't log into Hyperproof via the custom URL provided for SSO. These users must log in using the default URL for your Hyperproof instance. Default Hyperproof URLs include:
Hyperproof US: https://hyperproof.app/
Hyperproof EU: https://hyperproof.eu/
Hyperproof Gov: http://hyperproofgov.app/
Step One: Configuring your SAML identity provider for Hyperproof Gov
The first step in configuring a generic SAML SSO connection is to configure your identity provider (IdP) to allow connections from Hyperproof Gov. Consult your identity provider’s documentation for more information. Most IdPs require the following information to create a new connection or app.
Name | Value |
Assertion Customer Service (ACS) URL |
|
SP Entity ID |
|
The Assertion Consumer Service URL value is temporary and will be updated once SSO configuration is complete in Hyperproof Gov.
For the SP Entity ID, replace MY_HYPERPROOF_SUBDOMAIN with the subdomain assigned to your organization, such as luna.
Note that Hyperproof requires an email attribute in the SAML response. You may need to add this attribute (claim) explicitly in your identity provider’s configuration. The attribute should appear as follows:
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue></saml2:Attribute>
When the Hyperproof Gov connection or app is configured in your IdP, collect the following items that will be needed later in the configuration process:
Locate the Sign-in URL or IdP URL, then copy it.
Download the X.509 signing certificate.
Step Two: Configuring a generic SAML identity provider in your Hyperproof Gov organization
Once you’ve configured your identity provider to allow connections from Hyperproof Gov, you need to add the metadata to the SSO configuration of your Hyperproof Gov organization.
Log in to Hyperproof as an Administrator.
From the left menu, select Settings and then select Authentication.
📝 Note
The Authentication tab is not visible until SSO is turned on for your organization. If SSO has been turned on and you don’t see the tab, log out of Hyperproof and then log back in again. If the option is still not visible, please create a support request.
Toggle on Single Sign On (SSO).
From the Identity Provider drop-down menu, select Generic SAML.
Configure the SAML connection using the options provided (see SAML provider options).
Upload the X.509 Signing Certificate Certificate.
Click Save.
The status of your SSO configuration starts as Pending but transitions to Connected if no problems are encountered.
Copy the Assertion Consumer Service URL from the top of the page. You will need this URL in the next section.
SAML provider options
Field | Description |
Sign in URL | IdP Authentication Request Protocol endpoint that receives SAML AuthnRequest messages from Hyperproof Gov. |
X.509 Signing Certificate | Signing certificate (encoded in PEM or CER) provided by your identity provider |
Issuer URI | Issuer URI of the identity provider, usually the SAML Metadata EntityID of the IdP EntityDescriptor. |
Sign out URL (optional) | SAML single log out URL |
Sign request | When enabled, the SAML authentication request will be signed. Open a support case with Hyperproof Support, asking for the accompanying certificate so your SAML identity provider can validate the assertions' signature. |
Sign request algorithm | Algorithm Hyperproof will use to sign the SAML assertions |
Sign request digest algorithm | Algorithm Hyperproof will use for the sign request digest |
Protocol binding | HTTP binding supported by the identity provider |
Step Three: Updating the Assertion Consumer Service URL (ACS URL) for Hyperproof Gov
When you configured SSO in your Hyperproof Gov organization, Hyperproof generated an Assertion Consumer Service URL specific to your organization. This URL needs to be updated in the connection or app you created in your IdP in Step One: Configuring your SAML identity provider for Hyperproof Gov.
Log in to or access your IdP configuration and update the Assertion Consumer Service URL (ACS) in the connection or app.
Step Four: Logging in to Hyperproof Gov with SSO
You’ll be able to log in to Hyperproof Gov using your identity provider’s credentials after SSO is fully configured for your Hyperproof organization.
At this point, you’ll have the option to make SSO required. If it’s required, users without a company email address can still log in via Google, Office 365, or email/password. Refer to Requiring SSO for login for more information.
Using your previous credentials, e.g. Google, Office 365, or email/password, log in to Hyperproof.
From the left menu, select Settings and then select Authentication.
📝 Note
To allow users to log in via IdP, for example by clicking the Hyperproof logo on the Okta apps page, select the Allow IdP-initiated sign-in checkbox.
Copy your organization's SSO URL to the clipboard.
Log out of Hyperproof by clicking your user icon in the upper-right corner, and then clicking Sign Out.
Paste the SSO URL into a new browser tab, and then press Enter.
You’re redirected to your identity provider where you can log in with your identity provider credentials. Once you’ve provided your credentials, you’ll be logged in to Hyperproof Gov automatically.