Single Sign On (SSO)

SSO / SAML Integrations

Integrating with Demyst's SAML service is easy!

To allow your users to log in to the Demyst platform using the same credentials they use to sign into their your services, Demyst offers a SAML SSO integration point.

The client integrating with Demyst needs to know two things from Demyst, the metadata_url and the assertion_consumer_service_url.

Demyst's metadata_url and assertion_consumer_service_url are the same no matter what organization we are integrating with. They are unique per environment (dev / stg / prod)

  • metadata_url: /console/saml/metadata
  • assertion_consumer_service_url: /console/saml/consume

Metadata URL Examples

Staging metadata_url : https://stg.demyst.com/console/saml/metadata

Production metadata_url : https://demyst.com/console/saml/metadata

Assertion Consumer Service (”ACS”) URL Examples

Staging assertion_consumer_service_url : https://stg.demyst.com/console/saml/consume

Production assertion_consumer_service_url : https://demyst.com/console/saml/consume


Demyst needs four things from the client to complete the integration

The integration is configured in the Demyst platform here:
https://demyst.com/app/settings

If a metadata file is available from the SAML service, Demyst can extract all these items automatically from the metadata file by using the upload function on this page:


Otherwise, the following elements should be populated as noted:

  1. SSO Issuer : Identifies the organization
  2. SSO Target URL : The url where client users go to log into the Demyst platform using their existing credentials
  3. SSO Cert Fingerprint : identifies the certificate used to sign SAML responses from the organization
  4. SSO Cert Fingerprint Algorithm : identifies the algorithm used to fingerprint the certificate

Demyst can determine the SSO Cert Fingerprint and the SSO Cert Fingerprint Algorithm from the SSO Certificate, it is not necessary to send the fingerprint and algorithm directly.

Examples:

SSO Issuer: http://www.okta.com/abc123

SSO Target URL: https://myorg.okta.com/app/some_prefix/abc123/sso/saml

SSO Cert Fingerprint: 9B:0E:BB[...]4C:0D:3A SSO

Cert Fingerprint Algorithm: http://www.w3.org/2000/09/xmldsig#sha256

Once the integration is complete, member of the organization can sign in to the Demyst platform by visiting the URL that was provided as the SSO Target URL

FAQ

  • Q: With users logging in with SSO, how are we managing roles?
    A: It is through the platform just as it would be with any other org. It is possible to trigger JIT (just in time) provisioning with SAML which will create the user record.
  • Q: Is our SSO setup Service Provider (SP) or Identity Provider (IDP) initiated?
    A: IDP - The client is the identity provider, demyst is the service provider. The client initiates the SSO by visiting a URL they control, which then eventually ends up with them being logged into our service.
  • Q: Wow do we manage existing users in the platform when moving to SSO?
    A: We have an optional setting that prevents logins using email and password, so users must use SSO to log in

This document is a good reference for integrating Demyst SAML with Azure AD - https://blogs.oracle.com/blogbypuneeth/post/steps-to-configure-saml-sso-with-azure-as-idp-and-weblogic-server-as-sp