Authentication

7 min

default the default authentication method for trufflehog uses google oauth or magic links for user management administrators must add each user by email that should have dashboard access to the users page saml sso authentication can be configured to be handled by a saml sso identity provider (idp) when this option is enabled, the idp is responsible for user management okta configuration select “create a new app integration” select a “saml 2 0” app set your app name and app logo single sign on url → see authentication page in trufflehog dashboard single sign on url → see assertion consumer service (acs) url on authentication page in trufflehog dashboard audience uri → base url for your trufflehog deployment for example, if your acs url is https //real strong chipmunk c1 prod trufflehog org/saml/acs https //real strong chipmunk c1 prod trufflehog org/saml/acs , your audience uri will be https //real strong chipmunk c1 prod trufflehog org https //real strong chipmunk c1 prod trufflehog org name id format → emailaddress add the following attribute statements email → user email firstname → user firstname lastname → user lastname complete setup go to the new app admin page go to sign on tab open “view saml setup instructions” select the idp metadata from the text box paste the metadata content into the metadata field on the trufflehog authentication page azure configuration go to enterprise applications, and select "new application" select "create your own application" enter the name of your application, and click create go to single sign on, and select saml edit basic saml configuration set identifier to audience uri from trufflehog authentication page set reply url to acs url from trufflehog authentication page save go back to single sign on, and copy the app federation metadata url and paste the metadata url in trufflehog authentication page edit attributes & claims and add the following username user mail email user mail firstname user givenname lastname user surname add users or groups to your application additional notes if you are using an idp that uses a subject that is unique for each session, add a 'username' attribute/claim that returns the user's email address trufflehog's service provider metadata endpoint can be found at /saml/metadata for your deployed instance for example, if your instance is https //real strong chipmunk c1 prod trufflehog org https //real strong chipmunk c1 prod trufflehog org , the service provider metadata endpoint is https //real strong chipmunk c1 prod trufflehog org/saml/metadata https //real strong chipmunk c1 prod trufflehog org/saml/metadata you can use dynamic role based access control (rbac) docid\ ybhiv5fvtb0lxnm6itd5h to control jit provisioning based on a user's group membership or other attributes sent by the idp