Enabling single sign-on with a generic SAML identity provider for Hyperproof Gov

Roles and permissions

Only administrators can enable SSO for the organization

Hyperproof Gov supports single sign-on (SSO) with identity providers that are SAML 2.0 compliant. Once SSO is enabled for your organization, Hyperproof Gov users will be able to log in with credentials that are stored and managed by the identity provider, using a custom URL that is specific to your organization.

If your organization is in Hyperproof Gov, an example of a custom URL is: https://luna.hyperproofgov.app

Before you can configure the generic SAML option, Hyperproof Support needs to provision a subdomain. To get your subdomain, create a support request asking for SSO setup. In the example, above the subdomain is luna.

Note

If the domain is a .com address, the subdomain is set as the domain without the .com suffix.

If the domain is not a .com address, the subdomain is set as the domain name without the period.

Examples

Domain name	Subdomain
http://acme.com	acme
http://lunabtechnologies.com	lunabtechnologies
http://techstartup.io	techstartupio
http://whitehouse.gov	whitehousegov

Note

If you have SSO enabled and you invite someone to your organization whose email address is not part of your SSO domain, such as external auditors or contractors, they can't log into Hyperproof via the custom URL provided for SSO. These users must log in using the default URL for your Hyperproof instance. Default Hyperproof URLs include:

Hyperproof US: https://hyperproof.app/
Hyperproof EU: https://hyperproof.eu/
Hyperproof Gov: http://hyperproofgov.app/

The first step in configuring a generic SAML SSO connection is to configure your identity provider (IdP) to allow connections from Hyperproof Gov. Consult your identity provider’s documentation for more information. Most IdPs require the following information to create a new connection or app.

Name	Value
Assertion Customer Service (ACS) URL	`https://signin.hyperproofgov.app/sso/saml2/temp`
SP Entity ID	`https://hyperproofgov.app/saml2/service-provider/MY_HYPERPROOF_SUBDOMAIN`

The Assertion Consumer Service URL value is temporary and will be updated once SSO configuration is complete in Hyperproof Gov.

For the SP Entity ID, replace MY_HYPERPROOF_SUBDOMAIN with the subdomain assigned to your organization, such as luna.

Note that Hyperproof requires an email attribute in the SAML response. You may need to add this attribute (claim) explicitly in your identity provider’s configuration. The attribute should appear as follows:

<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                xsi:type="xs:string">user@example.com</saml2:AttributeValue>
</saml2:Attribute>

When the Hyperproof Gov connection or app is configured in your IdP, collect the following items that will be needed later in the configuration process:

Locate the Sign in URL or IdP URL and copy it.
Download the X.509 signing certificate.

Once you’ve configured your identity provider to allow connections from Hyperproof Gov, you need to add the metadata to the SSO configuration of your Hyperproof Gov organization.

Log in to Hyperproof as an Administrator.
From the left menu, select Settings and then select Authentication.
Note
The Authentication tab is not visible until SSO is turned on for your organization. If SSO has been turned on and you don’t see the tab, log out of Hyperproof and then log back in again. If the option is still not visible, please create a support request.
Toggle on Single Sign On (SSO).
From the Identity Provider drop-down menu, select Generic SAML.
Configure the SAML connection using the options provided (see SAML provider options).
Upload the X.509 Signing Certificate Certificate.
Click Save.
The status of your SSO configuration starts as Pending but transitions to Connected if no problems are encountered.
Copy the Assertion Consumer Service URL from the top of the page. You will need this URL in the next section.

SAML provider options

Field	Description
Sign in URL	IdP Authentication Request Protocol endpoint that receives SAML AuthnRequest messages from Hyperproof Gov.
X.509 Signing Certificate	Signing certificate (encoded in PEM or CER) provided by your identity provider
Issuer URI	Issuer URI of the identity provider, usually the SAML Metadata EntityID of the IdP EntityDescriptor.
Sign out URL (optional)	SAML single log out URL
Sign request	When enabled, the SAML authentication request will be signed. Your Hyperproof Customer Success Manager will provide you with the accompanying certificate so your SAML identity provider can validate the assertions' signature.
Sign request algorithm	Algorithm Hyperproof will use to sign the SAML assertions
Sign request digest algorithm	Algorithm Hyperproof will use for the sign request digest
Protocol binding	HTTP binding supported by the identity provider

When you configured SSO in your Hyperproof Gov organization, Hyperproof generated an Assertion Consumer Service URL specific to your organization. This URL needs to be updated in the connection or app you created in your IdP in Step One: Configuring your SAML identity provider for Hyperproof Gov.

You’ll be able to log in to Hyperproof Gov using your identity provider’s credentials after SSO is fully configured for your Hyperproof organization.

At this point, you’ll have the option to make SSO required. If it’s required, users without a company email address can still log in via Google, Office 365, or email/password. Refer to Requiring SSO for login for more information.

Using your previous credentials, e.g. Google, Office 365, or email/password, log in to Hyperproof.
From the left menu, select Settings and then select Authentication.
Note
To allow users to log in via IdP, for example by clicking the Hyperproof logo on the Okta apps page, select the Allow IdP-initiated sign-in checkbox.
Copy your organization's SSO URL to the clipboard.
Log out of Hyperproof by clicking your user icon in the upper-right corner, and then clicking Sign Out.
Paste the SSO URL into a new browser tab, and then press Enter.
You’re redirected to your identity provider where you can log in with your identity provider credentials. Once you’ve provided your credentials, you’ll be logged in to Hyperproof Gov automatically.

In this section:

Enabling single sign-on with a generic SAML identity provider for Hyperproof Gov

Roles and permissions

Note

Note

Note

SAML provider options

Note

Search results