|
| 1 | +--- |
| 2 | +title: "SSO and JIT Provisioning" |
| 3 | +path: "/programs/sso-jit.html" |
| 4 | +id: "programs/sso-jit" |
| 5 | +--- |
| 6 | + |
| 7 | +HackerOne offers Just-in-time (JIT) provisioning with SAML and SSO. |
| 8 | + |
| 9 | +### Attribute Provisioning |
| 10 | + |
| 11 | +By default, all accounts will be provisioned with and keep up to date the following attributes: |
| 12 | + - First name |
| 13 | + - Last name |
| 14 | + |
| 15 | +### Program Membership |
| 16 | + |
| 17 | +All SAML users have access to the platform by default, but do not necessarily have access to programs. This will help you understand the options that are available to you when configuring your SAML settings. |
| 18 | + |
| 19 | +#### None |
| 20 | + |
| 21 | +Without any program membership provisioning, you can invite users to your program and manage their membership and permission level within the user management interface. |
| 22 | + |
| 23 | +#### Basic |
| 24 | + |
| 25 | +The basic configuration allows any user attached to your SAML configuration to join the program automatically without an invitation at login. This works for multiple programs if your SAML settings are attached to all programs. |
| 26 | + |
| 27 | +To configure this provisioning, contact [email protected] after your SAML configuration is enabled and we will turn it on for you. |
| 28 | + |
| 29 | +#### Advanced |
| 30 | + |
| 31 | +The advanced configuration allows organizations to control membership and permission level from their SSO provider. When configured, the attributes for the users membership and group will be used to assign the user to your program and the appropriate group in HackerOne with the associated permissions. |
| 32 | + |
| 33 | +To configure this provisioning we need to establish a mapping between the SSO provider (your system) and the HackerOne system. We do this by utilizing the attribute statements on the SSO provider side, which you will point to groups defined in your HackerOne program. |
| 34 | + |
| 35 | +The assertion should provide an attribute with the following name: `Program.<handle>.groups` and the value should be a semi-colon delimited list of the program Group names the user should belong to. If no groups are specified the user will not be added to the program. |
| 36 | + |
| 37 | +Take, for example, this set of configured Groups in HackerOne: |
| 38 | + |
| 39 | + |
| 40 | +A correlating SSO configuration (for Okta) would look like this: |
| 41 | + |
| 42 | + |
| 43 | +We can confirm the mapping is done correctly by inspecting the assertion statement in the SAML Response: |
| 44 | +``` |
| 45 | +<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> |
| 46 | + <saml2:Attribute Name="user.firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> |
| 47 | + <saml2:AttributeValue xmlns:xs="<snip>" xsi:type="xs:string">Ben</saml2:AttributeValue> |
| 48 | + </saml2:Attribute> |
| 49 | + <saml2:Attribute Name="User.lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> |
| 50 | + <saml2:AttributeValue xmlns:xs="<snip>" xmlns:xsi="<snip>" xsi:type="xs:string">Willis</saml2:AttributeValue> |
| 51 | + </saml2:Attribute> |
| 52 | + <saml2:Attribute Name="Program.security.groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> |
| 53 | + <saml2:AttributeValue xmlns:xs="<snip>" xmlns:xsi="<snip>" xsi:type="xs:string">Admin;Standard</saml2:AttributeValue> |
| 54 | + </saml2:Attribute> |
| 55 | + <saml2:Attribute Name="Program.hackerone_program_2.groups" NameFormat="<snip>"> |
| 56 | + <saml2:AttributeValue xmlns:xs="<snip>" xmlns:xsi="<snip>" xsi:type="xs:string">Standard</saml2:AttributeValue> |
| 57 | + </saml2:Attribute> |
| 58 | + </saml2:AttributeStatement> |
| 59 | + ``` |
| 60 | + |
| 61 | +Additionally, you can confirm the memberships are being added properly by viewing your Program Audit log. |
0 commit comments