![Hyperproof.Io [Test] Help Center](https://downloads.intercomcdn.com/i/o/xgk1dxp2/757668/427b255f2659cc7e0853d6a00ec1/628914ae2617199b7d999ba797a5305a.png)
👥 Roles and permissions
Only administrators can enable SSO for the organization
Hyperproof supports single sign-on (SSO) with identity providers that are SAML 2.0 compliant. Once SSO is enabled for your organization, Hyperproof users will be able to log in with credentials that are stored and managed by the identity provider, using a custom URL that is specific to your organization.
If your organization is in Hyperproof US, an example of a custom URL is:
https://luna.hyperproof.appIf your organization is in Hyperproof EU, an example of a custom URL is:
https://luna.hyperproof.eu
Before you can configure the generic SAML option, Hyperproof Support needs to provision a subdomain. To get your subdomain, create a support request asking for SSO setup.
📝 Note
To complete this process, you must open a support case with Hyperproof Support and request the Sign request certificate required completing Step Two: Configuring a generic SAML identity provider in your Hyperproof organization.
📝 Note
If the domain is a .com address, the subdomain is set as the domain without the .com suffix.
If the domain is not a .com address, the subdomain is set as the domain name without the period.
Examples
Domain name | Subdomain |
acme | |
lunabtechnologies | |
techstartupio | |
whitehousegov |
📝 Note
If you have SSO enabled and you invite someone to your organization whose email address is not part of your SSO domain, such as external auditors or contractors, they can't log into Hyperproof via the custom URL provided for SSO. These users must log in using the default URL for your Hyperproof instance. Default Hyperproof URLs include:
Hyperproof US: https://hyperproof.app/
Hyperproof EU: https://hyperproof.eu/
Hyperproof Gov: http://hyperproofgov.app/
Step One: Configuring your SAML identity provider
The first step in configuring a generic SAML SSO connection is to configure your identity provider to allow connections from Hyperproof. Consult your identity provider’s documentation for more information.
Note that Hyperproof requires an email attribute in the SAML response. You may need to add this attribute (claim) explicitly in your identity provider’s configuration. The attribute should appear as follows:
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]</saml2:AttributeValue></saml2:Attribute>
Step Two: Configuring a generic SAML identity provider in your Hyperproof organization
Once you’ve configured your identity provider to allow connections from Hyperproof, you need to add the metadata to the SSO configuration of your Hyperproof organization.
Log in to Hyperproof as an Administrator.
From the left menu, select Settings and then select Authentication.
📝 Note
The Authentication tab is not visible until SSO is turned on for your organization. If SSO has been turned on and you don’t see the tab, log out of Hyperproof and then log back in again. If the option is still not visible, please create a support request.
Toggle on Single Sign On (SSO).
From the Identity Provider drop-down menu, select Generic SAML.
Configure the SAML connection using the options provided (see SAML provider options below).
Upload the X.509 Signing Certificate Certificate.
Click Save.
Once the configuration is complete, you can use the following values to complete the SAML identity provider configuration:
Name | Value |
Assertion Customer Service (ACS) URL | Hyperproof US:
Hyperproof EU:
|
SP Entity ID |
|
SAML provider options
Field | Description |
Sign in URL | SAML single log in URL |
X.509 Signing Certificate | Signing certificate (encoded in PEM or CER) provided by your identity provider |
Sign out URL (optional) | SAML single log out URL |
User ID attribute (optional) | Attribute in the SAML token that will be used as the user's identity |
Sign request | When enabled, the SAML authentication request will be signed. Open a support case with Hyperproof Support, asking for the accompanying certificate so your SAML identity provider can validate the assertions' signature. |
Sign request algorithm | Algorithm Hyperproof will use to sign the SAML assertions |
Sign request digest algorithm | Algorithm Hyperproof will use for the sign request digest |
Protocol binding | HTTP binding supported by the identity provider |
Step Three: Logging in to Hyperproof with SSO
You’ll be able to log in to Hyperproof using your identity provider’s credentials after SSO is fully configured for your Hyperproof organization.
At this point, you’ll have the option to make SSO required. If it’s required, users without a company email address can still log in via Google, Office 365, or email/password. Refer to Requiring SSO for login for more information.
Using your previous credentials, e.g. Google, Office 365, or email/password, log in to Hyperproof.
From the left menu, select Settings and then select Authentication.
📝 Note
To allow users to log in via IdP, for example, by clicking the Hyperproof logo on the Okta apps page, select the Allow IdP-initiated sign-in checkbox.
Copy your organization's SSO URL to the clipboard.
Log out of Hyperproof by clicking your user icon in the upper-right corner, and then clicking Sign Out.
Paste the SSO URL into a new browser tab, and then press Enter.
You’re redirected to your identity provider where you can log in with your identity provider credentials. Once you’ve provided your credentials, you’ll be logged in to Hyperproof automatically.