In order to make your life easier we have set up integrations against some of the most common SAML single sing-on providers such as Okta, Azure, Ping Identity and OneLogin. This functionality is available on the Enterprise plan. Follow the guidelines at the bottom down in this article to enable access to Detectify via your SSO provider. First, learn which providers and attributes we support.
What attributes do we support?
Please note these attributes might be named differently depending on your provider and you'll usually find the correct name in your SAML meta file.
User.Email = email of the user
User.FirstName = first name of the user
User.LastName = last name of the user
User.MemberOf = where the user should end up, see below for more details.
User.MemberOf is a custom multi-value text field which you have to populate. On our side of things we will expect an array with text strings following this pattern: [ ‘detectify.guest.TEAM-IDENTIFIER’, ‘detectify.user.TEAM-IDENTIFIER’, ‘detectify.admin.TEAM-IDENTIFIER’], where team-identifier could be team name (set by you) or a immutable team token provided by us, and “guest”, “user” and “admin” are the different permission levels.
Teams / Groups
In Okta and other providers you can set up groups and assign users to these groups. We use this to identify which users should have access to specific teams and with what permission levels. The groups need to follow a specific naming scheme: detectify.user.team-name
The different parts can either be separated using dots (.) or dashes (-).
The first part is an identifier on your end so that you can chose to only tell us about groups in your system that starts with "detectify" rather than sending over all your groups. See below example for how it looks on the Okta end.
The second part is the access-level which should be specified with one of the following values:
This means view-only access. The user will be able to view reports and profiles but not able to change anything or view billing.
Team members with user credentials can read reports, run tests, activate domain monitoring, change scan profile settings and set up integrations. They are however not able to manage assets in your team (e.g. remove an asset, add a new scan profile, verify an asset).
This means the user will have full access to the features on their account.
The third part defines what team these rules applies to and should be specified as one of these:
1. The name (spaces included) of the team the user wants to join.
Please remember that changing the team name will block access.
2. The token of the team they want to join.
This is a token that will be provided to you by your CSM and will allow changes to the team name
3. * or empty string.
This means "wildcard" and will affect ALL teams accessible for the SAML connection. Example: detectify-user-* will give all users that join using SAML user-access to all teams.
If the user is added to the groups that contain a team token or team name with different permission levels for the same team, the one offering highest permissions will be selected:
= the user will join TeamA with admin credentials
More specific names will always have priority over wildcards:
= the user will join TeamA with use credentials
Guidelines for setting up SSO:
Follow these steps in order to use your SSO solution to access Detectify. (Example provided is for Okta and the names of the issuer and certificate may vary depending on provider). The SSO integration is available on the Enterprise price plan.
1. Contact your CSM and provide the following information:
-SAML issuer ID
-Single sign-on URL
-X.509 Certificate or similar
-Specify what would you like to use as your identifier, this could be 'email', 'an ID' or both
2. Using the URLs provided to you by your CSM, enter the information in the Detectify app on the Okta side. In your Okta group you need to specify the identifier, access level and team - as per the information further up. Eg. detectify.admin.Example-Team for a user to access the team "Example Team" with full admin permissions.