Enabling single sign-on with a generic SAML identity provider

Roles and permissions

Only administrators can enable SSO for the organization

Hyperproof supports single sign-on (SSO) with identity providers that are SAML 2.0 compliant. Once SSO is enabled for your organization, Hyperproof users will be able to log in with credentials that are stored and managed by the identity provider, using a custom URL that is specific to your organization.

If your organization is in Hyperproof US, an example of a custom URL is: https://luna.hyperproof.app
If your organization is in Hyperproof EU, an example of a custom URL is: https://luna.hyperproof.eu

Before you can configure the generic SAML option, Hyperproof Support needs to provision a subdomain. To get your subdomain, create a support request asking for SSO setup.

Note

If the domain is a .com address, the subdomain is set as the domain without the .com suffix.

If the domain is not a .com address, the subdomain is set as the domain name without the period.

Examples

Domain name	Subdomain
http://acme.com	acme
http://lunabtechnologies.com	lunabtechnologies
http://techstartup.io	techstartupio
http://whitehouse.gov	whitehousegov

Note

If you have SSO enabled and you invite someone to your organization whose email address is not part of your SSO domain, such as external auditors or contractors, they can't log into Hyperproof via the custom URL provided for SSO. These users must log in using the default URL for your Hyperproof instance. Default Hyperproof URLs include:

Hyperproof US: https://hyperproof.app/
Hyperproof EU: https://hyperproof.eu/
Hyperproof Gov: http://hyperproofgov.app/

The first step in configuring a generic SAML SSO connection is to configure your identity provider to allow connections from Hyperproof. Consult your identity provider’s documentation for more information.

Note that Hyperproof requires an email attribute in the SAML response. You may need to add this attribute (claim) explicitly in your identity provider’s configuration. The attribute should appear as follows:

<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                xsi:type="xs:string">user@example.com</saml2:AttributeValue>
</saml2:Attribute>

Once you’ve configured your identity provider to allow connections from Hyperproof, you need to add the metadata to the SSO configuration of your Hyperproof organization.

Log in to Hyperproof as an Administrator.
From the left menu, select Settings and then select Authentication.
Note
The Authentication tab is not visible until SSO is turned on for your organization. If SSO has been turned on and you don’t see the tab, log out of Hyperproof and then log back in again. If the option is still not visible, please create a support request.
Toggle on Single Sign On (SSO).
From the Identity Provider drop-down menu, select Generic SAML.
Configure the SAML connection using the options provided (see SAML provider options below).
Upload the X.509 Signing Certificate Certificate.

Click Save.

Once the configuration is complete, you can use the following values to complete the SAML identity provider configuration:

Name	Value
Assertion Customer Service (ACS) URL	Hyperproof US: `https://signin.hyperproof.app/login/callback?connection=SUBDOMAIN` Hyperproof EU: `https://signin.hyperproof.eu/login/callback?connection=SUBDOMAIN`
SP Entity ID	`urn:auth0:hyperproof:SUBDOMAIN`

Name

Value

Assertion Customer Service (ACS) URL

Hyperproof US:

https://signin.hyperproof.app/login/callback?connection=SUBDOMAIN

Hyperproof EU:

https://signin.hyperproof.eu/login/callback?connection=SUBDOMAIN

SP Entity ID

urn:auth0:hyperproof:SUBDOMAIN

SAML provider options

Field	Description
Sign in URL	SAML single log in URL
X.509 Signing Certificate	Signing certificate (encoded in PEM or CER) provided by your identity provider
Sign out URL (optional)	SAML single log out URL
User ID attribute (optional)	Attribute in the SAML token that will be used as the user's identity
Sign request	When enabled, the SAML authentication request will be signed. Your Hyperproof Customer Success Manager will provide you with the accompanying certificate so your SAML identity provider can validate the assertions' signature.
Sign request algorithm	Algorithm Hyperproof will use to sign the SAML assertions
Sign request digest algorithm	Algorithm Hyperproof will use for the sign request digest
Protocol binding	HTTP binding supported by the identity provider

You’ll be able to log in to Hyperproof using your identity provider’s credentials after SSO is fully configured for your Hyperproof organization.

At this point, you’ll have the option to make SSO required. If it’s required, users without a company email address can still log in via Google, Office 365, or email/password. Refer to Requiring SSO for login for more information.

Using your previous credentials, e.g. Google, Office 365, or email/password, log in to Hyperproof.
From the left menu, select Settings and then select Authentication.
Note
To allow users to log in via IdP, for example by clicking the Hyperproof logo on the Okta apps page, select the Allow IdP-initiated sign-in checkbox.
Copy your organization's SSO URL to the clipboard.
Log out of Hyperproof by clicking your user icon in the upper-right corner, and then clicking Sign Out.
Paste the SSO URL into a new browser tab, and then press Enter.
You’re redirected to your identity provider where you can log in with your identity provider credentials. Once you’ve provided your credentials, you’ll be logged in to Hyperproof automatically.

In this section:

Enabling single sign-on with a generic SAML identity provider

Roles and permissions

Note

Note

Note

SAML provider options

Note

Search results