Single Sign On

The Single Sign On page is where you configure the single sign on feature for Users in your organization.

Use the following steps to enable Single Sign On:

  1. Navigate to Settings > User Management > Single Sign On
  2. Enable Single Sign On
    • This enables and disables SSO functionality.
    • We recommend leaving this disabled until all settings are configured.
  3. SAML2 Configuration
    • Use the default Entity ID for Spirion Sensitive Data Platform or modify if needed
    • Select the Binding expected by your Identity Provider. (HTTP Post or HTTP Redirect)
    • User Identifier Fallback indicates preference how users should be matched between Spirion Sensitive Data Platform and the Identity Provider. (Auto, Username, Email)
    • Identity Provider Metadata enables you to configure Spirion Sensitive Data Platform to use either a URL or an XML file for configuring your Identity Provider
    • Metadata outputs an XML file that can be used to configure your Identity Provider to communicate with Spirion Sensitive Data Platform
    • Download Root Certificate downloads the Root Certificate .crt file
    • Download Service Provider Certificate downloads the Service Provider Certificate .crt file
    • Sync Roles
      • When enabled, Spirion Sensitive Data Platform automatically assigns and enforces a user’s role based on group membership and role mapping.
      • If disabled, roles are manually assigned from the Spirion Sensitive Data Platform UI.
  4. Compatibility
    • Check with your Identity Provider or Security Team.
    • Settings in this section are specific to the requirements of your Identity Provider and setup.
  5. Data Mapping
    • When a user is synced via SSO, their account and profile will be updated.
    • This section maps allows you to map Spirion Sensitive Data Platform fields to values from your Identity Provider.
    • Mappings are required for Id, Email, Role, and Username.
  6. Roles Configuration
    • Roles Configuration will map directory groups to Spirion Sensitive Data Platform roles.
    • At sign on, Spirion Sensitive Data Platform roles are assigned in reference to a user's group membership(s) based on the mapping below.
    • Arrange the order of the configured entries to determine the priority for Spirion Sensitive Data Platform role assignment since Spirion Sensitive Data Platform supports only one assigned role per user.
    • Accounts belonging to multiple groups that are mapped for SSO are assigned the Spirion Sensitive Data Platform role closest to the top of the list.

      • Note: Using a tool like SAML-tracer can aid in troubleshooting this configuration.