---
title: Authentication
slug: authentication
docTags: 
createdAt: 2024-05-13T22:13:55.786Z
---

## Default

The default authentication method for TruffleHog uses Google Oauth or Magic Links for user management. Administrators must add each user by email that should have dashboard access to the Users page.

## SAML SSO

Authentication can be configured to be handled by a SAML SSO identity provider (IdP). When this option is enabled, the IdP is responsible for user management.

### Okta Configuration

1. Select “Create a new app integration”

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/ntUhQXnFSFJqKotOJ9ezO_image.png" size="100" width="1867" height="1296" position="center" caption="Adding new app integration" indent="2"}

2. Select a “SAML 2.0” app

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/Ic3mGDZIFIiIz8XX9U4jy_image.png" size="100" width="1869" height="1303" position="center" caption="Select SAML 2.0 app" indent="2"}

3. Set your app name and app logo

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/E_KXd0ZyV6VJS2aV6qMPy_image.png" size="100" width="1881" height="1185" position="center" caption="Define the app tile" indent="2"}

4. Single Sign on URL → See Authentication page in TruffleHog dashboard

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/HgMexprMV1M5SykghHwXK_image.png" size="100" width="3020" height="1696" position="center" caption="Copy the ACS URL" indent="2"}

5. Single sign on URL → See Assertion Consumer Service (ACS) URL on Authentication
   page in TruffleHog dashboard
6. Audience URI → Base URL for your TruffleHog deployment. For example, if your
   ACS URL is [https://real-strong-chipmunk.c1.prod.trufflehog.org/saml/acs](https://real-strong-chipmunk.c1.prod.trufflehog.org/saml/acs), your
   Audience URI will be [https://real-strong-chipmunk.c1.prod.trufflehog.org](https://real-strong-chipmunk.c1.prod.trufflehog.org)
7. Name ID Format → EmailAddress
8. Add the following Attribute Statements
   1. email → user.email
   2. firstName → user.firstName
   3. lastName → user.lastName

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/cI0w-WerghhasJxI7W5Lg_image.png" size="100" width="2019" height="1824" position="center" caption="Fill in the required fields" indent="3"}

9. Complete setup
10. Go to the new app admin page
11. Go to Sign On tab
12. Open “View SAML setup instructions”

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/QaxYLdEUYUY--V6ok0b_t_image.png" size="100" width="2079" height="1823" position="center" caption="Find the SAML setup instructions" indent="2"}

13. Select the IDP metadata from the text box

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/yrFIYO2MlzT8X9x7OVfEN_image.png" size="100" width="2116" height="1815" position="center" caption="Copy the IDP metadata URL" indent="2"}

14. Paste the metadata content into the metadata field on the TruffleHog authentication page

### Azure Configuration

1. Go to Enterprise Applications, and select "New Application"

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/gJVqEKCe2PLCo8no66o9W_image.png" size="100" width="1546" height="1035" position="center" caption="Create a new application" indent="2"}

2. Select "Create your own application"

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/oxpyk4JK-Y97ltI8Tj5Lu_image.png" size="100" width="1541" height="1018" position="center" caption="Select Create your own application" indent="2"}

3. Enter the name of your application, and click Create
4. Go to Single sign-on, and select SAML

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/YcXUcaOx1XUff-hhUVJFv_image.png" size="100" width="1541" height="1031" position="center" caption="Select SAML method" indent="2"}

5. Edit Basic SAML Configuration
   1. Set Identifier to Audience URI from TruffleHog Authentication Page
   2. Set Reply URL to ACS URL from TruffleHog Authentication Page
   3. Save
6. Go back to Single sign-on, and copy the App Federation Metadata Url and paste the Metadata URL in TruffleHog Authentication Page

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/gVCP478YjfmQK0tpfEqtA_image.png" size="100" width="1545" height="1030" position="center" caption="Copy the metadata URL" indent="2"}

7. Edit Attributes & Claims and add the following:
   1. username: user.mail
   2. email: user.mail
   3. firstName: user.givenName
   4. lastName: user.surname

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/6SSyPkYpXuPj4Q4RrJp6N_image.png" size="100" width="1563" height="915" position="center" caption="Define the attributes and claims" indent="3"}

8. Add users or groups to your application

::Image[]{src="https://api.archbee.com/api/optimize/S23bFlGfp3a-8_a9YY_cE/DKzuxa6LZl8pwcNOGxokN_image.png" size="100" width="1566" height="1032" position="center" caption="Add users or groups" indent="2"}

### Additional Notes

- If you are using an IdP that uses a subject that is unique for each session, add a 'username' attribute/claim that returns the user's email address.
- TruffleHog's Service Provider metadata endpoint can be found at `/saml/metadata` for your deployed instance. For example, if your instance is [https://real-strong-chipmunk.c1.prod.trufflehog.org](https://real-strong-chipmunk.c1.prod.trufflehog.org), the Service Provider metadata endpoint is [https://real-strong-chipmunk.c1.prod.trufflehog.org/saml/metadata](https://real-strong-chipmunk.c1.prod.trufflehog.org/saml/metadata).
- You can use [Dynamic Role-Based Access Control (RBAC)](docId\:YBHiV5fvtb0lxnM6itD5H) to control JIT provisioning based on a user's group membership or other attributes sent by the IDP.