Single Sign-On configuration

Invicti Platform supports Single Sign-On (SSO) via Security Assertion Markup Language (SAML), allowing users to access multiple applications with a single login. An Identity Provider (IdP) centralizes user and application management, eliminating the need to handle individual credentials for each service. Invicti supports both IdP- and Service Provider(SP)-initiated SAML authentication.

This document explains how to enable SSO in Invicti Platform.

info

Enabling SSO in Invicti doesn't automatically provision users by default. They must be added manually or by automatic provisioning with SAML/SCIM from specific SSO providers (Active Directory Federation Service, Entra ID, Google, Okta, OneLoginSecure, and PingIdentity). For more information on manual user creation, refer to the Create user document.

You must also configure the integration on your SSO provider. For detailed instructions, refer to your SSO provider's documentation in the following:

• Active Directory Federation Service
• Entra ID (Former Azure ActiveDirectory)
• Google
• Okta
• GeneralSAMLv2
• OneLoginSecure
• PingIdentity

Configure Single Sign-On settings

warning

To access the SSO configuration you need to be an Owner of the organization or have a custom role with System rights. Enabling SSO makes it mandatory for the whole organization, unless a user is exempted.

1. Select Settings from the left-side menu.
2. In the Security & access control section select SSO & Provisioning.
3. Turn on the Enable SSO toggle.

4. From the SSO Provider drop-down list, choose your SSO provider.
5. Copy the information from the SAML 2.0 Service URL and Identifier fields and enter it into your SSO provider configuration.

6. Enter the required information into the SAML 2.0 Endpoint, IdP Identifier, and X.509 Certificate fields.

7. Choose the signed assertions, encrypted assertions, or sign requests checkboxes as needed.

8. If you enable any assertions or requests, a new section appears to do one of the following:
   • Choose Generate a new certificate; OR
   • Choose I have an existing certificate, then upload your certificate and enter the Certificate Password.

9. From the SSO Exemptions drop-down, choose specific users to exempt them from SSO. Doing this means the selected users can log in to Invicti Platform using password. The Owner is always exempted, while all other users are forced to use SSO when it's enabled.

10. Click Save to save your settings and add the users manually.

To add the users automatically, based on your SSO provider, continue to configure automatic provisioning section both in Invicti Platform (in the following section) and the provider's administration tool.

Configure automatic provisioning with SAML/SCIM

Invicti Platform supports automatic user provisioning via SAML/SCIM for specific SSO providers. This feature automatically creates new user accounts when they authenticate through the Identity Provider, eliminating the need to manually add users to the platform.

1. In the Provisioning with SAML/SCIM section, toggle the Enable automatic provisioning for your organization to Yes.

2. In the Default access for new users and teams section, select a role, for example, Viewer, from the drop-down list to assign to newly provisioned users.
3. Optionally, in the Collections field, click Select collections and choose which collections the new users should have access to. If none are selected, the default setting of All current and future collections is used.

4. Optionally, click Download SAML Metadata to download the file for your IdP configuration.
5. Click Save to apply your provisioning settings.

Once automatic provisioning is enabled, new users who successfully authenticate through your Identity Provider are automatically created in Invicti Platform with the default role and collection access you configured.

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center