Skip to main content

SSO using SAML

Stackguardian facilitates a secure and streamlined access management process for Business and Enterprise clients by offering Single Sign-On (SSO) functionality. This enables IT administrators to centrally manage team access and ensures that sensitive information is kept secure. With SSO, users can access the app with ease through a single authentication source.

This guide provides instructions for setting up SAML SSO with StackGuardian using Azure as the Identity Provider (IdP).

Step 1: Create a new application integration​

  1. Sign in to the Azure portal.
  2. Navigation to "Microsoft Entra ID" service.
  3. Navigate to "Enterprise Applications" and then select “All Applications”.
  4. Add a new application to use with StackGaurdian Platform, select “New application”.
  5. In the Microsoft Entra Gallery, Click on “Create your own application”.
  6. Now Enter the name of your application and under the purpose, use "Integrate any other application you don't find in the gallery (Non-gallery)".
  7. Create and wait until the application is added, this might take a few seconds.

Create a new application


Step 2: Create SAML Integration​

  1. Navigate to the application’s integration page, under Getting Started click on “Set up single sign on”.
  2. Under the Select a single sign-on method page, select SAML.

Create SAML Integration


Step 3: SAML Settings​

  1. Go to the Basic SAML Configuration section.
  2. Click on the Edit button to edit the SAML Configuration.
  3. Next, find the field labelled "Identifier (EntityID)" and enter the following value:
    urn:amazon:cognito:sp:eu-central-1_xut85XJiL
  1. In the Configuration modal, look for the field labelled "Reply URL" known as Assertion Consumer Service (ACS) URL and enter the following value:
    https://stackguardian-sso-prod.auth.eu-central-1.amazoncognito.com
  1. Save the changes made.

For the secondary region (backup):​

  1. Repeat the first two steps mentioned above.
  2. Next, find the field labeled "Identifier (EntityID)" and enter the following value for the secondary region.
    urn:amazon:cognito:sp:eu-west-1_KZtybWlR7
  1. In the Configuration modal, look for the field labeled "Reply URL," and enter the following value for the secondary region.
    https://stackguardian-prod-sso-alt.auth.eu-west-1.amazoncognito.com
  1. Save the changes made for the secondary region.
note

By configuring the SAML settings with the provided information for 2 regions, we will setup redundancy, one in the primary region (eu-central-1) and the other in the secondary region (eu-west-1). This setup ensures that if the primary region experiences any issues or downtime, the secondary region will serve as a backup, maintaining service continuity.

SAML settings


Step 4: Configure Attributes & Claims​

  1. Click on the "Edit" button for User Attributes & Claims.
  2. Click on "Add a Group Claim".
  3. On the popover, select "All groups" and "Group ID" under source attribute and save the Group Claim.
Claim AttributesValues
groupsuser.groups [All]
emailAddressuser.mail
givennameuser.givenname
nameuser.userprincipalname
surnameuser.surname

The other values are pre-configured by default. You can refer to the values above for each claim attribute.

Group Claim Limit

Configure a GROUP ID filter to limit sent groups to those that match your organization’s naming convention (i.e. 'stackguardian'), ensuring only relevant groups are sent. This helps when the group claim exceeds 2048 characters, avoiding issues by sending a smaller subset of groups.

Attributes & Claims Config


Step 5: Assign users to StackGuardian​

  1. Go to Microsoft Entra ID and select "Enterprise Applications".
  2. Select "All applications" and find your application in the list.
  3. Under the Getting Started section of the app's overview page, click "Assign users and groups".
  4. Click "Add user/group", select the users from the Users list in the dialog box, select a role if needed from the dropdown, and click "Assign”

Assign users


Step 6: Share App Federation Metadata Url with StackGuardian​

  1. Go to Microsoft Entra ID and select "Enterprise Applications".
  2. Select "All applications" and find your application in the list.
  3. Under the Getting Started section of the app's overview page, click "Set up single sign on".
  4. Under "SAML Certificates", copy and share "App Federation Metadata Url along with your "StackGuardian org name" and "your AD users' domain name" with StackGuardian representative.

Once everything is successfully setup on StackGuardian, you will be notified to test the connectivity.

Inviting SSO Users or Groups​

To invite SSO users or groups, use the following API endpoint. The process involves sending a payload with the user or group information. Below is the format of the payload:

API endpoint: https://api.app.stackguardian.io/api/v1/orgs/{org}/invite_user/

{
  "userId": "<sso-group-name>/user.email@stackguardian.io",
  "resendInvite": false,
  "role": "ADMIN"
}
  • Replace <sso-group-name> with the appropriate SSO group name from the dropdown options visible to the user.
  • Replace user.email@stackguardian.io with the actual email address of the user.

You can refer to the API documentation here for more details on how to use the endpoint.