TruffleHog authentication

Default

The default authentication method for TruffleHog uses Google Oauth or Magic Links for user management. Administrators must add each user by email that should have dashboard access to the Users page.

SAML SSO

Authentication can be configured to be handled by a SAML SSO identity provider (IdP). When this option is enabled, the IdP is responsible for user management.

Okta Configuration

  1. Select “Create a new app integration” Create a new app integration
  2. Select a “SAML 2.0” app SAML 2.0
  3. Set your app name and app logo Application name
  4. Single Sign on URL → See Authentication page in TruffleHog dashboard ACS URL
  5. Single sign on URL → See Assertion Consumer Service (ACS) URL on Authentication page in TruffleHog dashboard
  6. Audience URI → Base URL for your TruffleHog deployment. For example, if your ACS URL is https://real-strong-chipmunk.c1.prod.trufflehog.org/saml/acs, your Audience URI will be https://real-strong-chipmunk.c1.prod.trufflehog.org
  7. Name ID Format → EmailAddress
  8. Add the following Attribute Statements
    1. email → user.email
    2. firstName → user.firstName
    3. lastName → user.lastName Okta SSO
  9. Complete setup
  10. Go to the new app admin page
  11. Go to Sign On tab
  12. Open “View SAML setup instructions” Okta SAML Setup
  13. Select the IDP metadata from the text box Okta Metadata
  14. Paste the metadata content into the metadata field on the Trufflehog authentication page

Azure Configuration

  1. Go to Enterprise Applications, and select “New Application” Azure SAML New Application
  2. Select “Create your own application” Azure SAML Create Application
  3. Enter the name of your application, and click Create
  4. Go to Single sign-on, and select SAML Azure SAML Select SAML
  5. Edit Basic SAML Configuration
    1. Set Identifier to Audience URI from Trufflehog Authentication Page
    2. Set Reply URL to ACS URL from Trufflehog Authentication Page
    3. Save
  6. Go back to Single sign-on, and copy the App Federation Metadata Url and paste the Metadata URL in Trufflehog Authentication Page Azure SAML Copy Federation Metadata
  7. Edit Attributes & Claims and add the following:
    1. username: user.mail
    2. email: user.mail
    3. firstName: user.givenName
    4. lastName: user.surname Azure SAML Add Claims
  8. Add users or groups to your application Azure SAML Add Users

Aditional Notes

  • If you are using an IdP that uses a subject that is unique for each session, add a ‘username’ attribute/claim that returns the user’s email address.