Single-sign on (SSO)
You can set up SAML and just-in-time (JIT) provisioning to enable users in your organization to access Veracode products and services with single sign-on (SSO). If you also configure service provider (SP)-initiated authentication, users only need to sign in with an email address. The Veracode Platform supports the SAML 2.0 standard.
For human user accounts, we recommend using SSO as an alternative to API credentials, particularly when onboarding new users. With SSO configured in your organization, your development teams can securely sign in to Veracode (using OAuth) from within their IDEs and the Veracode CLI using an email address. They won't need to create or maintain API credentials or an API credentials file. For automated integrations, such as scripts, CI/CD plugins, or APIs that don't require human interaction, the best practice is to use non-human API service accounts with API credentials. To use SSO in your organization, contact Veracode Technical Support to set up JIT provisioning configured for SP-initiated authentication.
If your organization configured SSO and just-in-time provisioning before June 2022, you can migrate to the new capabilities.
To prevent being locked out of Veracode if your SAML environment becomes inaccessible, we recommend that your organization create at least one user with the Administrator role who signs in with a username and password.
What is SAML?
SAML (Security Assertion Markup Language) is an open standard for performing single sign-on across security domains, for example, from an organization to a cloud service such as Veracode. SSO with SAML usually works as follows:
- You select a link on your corporate intranet site, such as an Okta tile, to a Veracode product or service, such as the Veracode Platform.
- Your browser forwards a SAML assertion to Veracode. The assertion is a digitally signed XML document that attests to your identity.
- We check the validity of the assertion by verifying the digital signature and the expiration date, then compare the information in the assertion to the list of users in your organization account.
- If the assertion is valid and you match a known Veracode user, the Veracode Platform sign-in page opens.
Veracode implements the portions of the SAML standard that manage authentication, but the Technical Support team must provision your account before you can use the service. To automate provisioning for large numbers of users, we recommend you use the Admin API.
To learn more about SAML, see the following websites:
- SAML (Wikipedia topic)
- saml.xml.org: open community site on SAML
Enable and configure SAML
To enable SAML in the Veracode Platform for your organization:
-
Send a request to Veracode Technical Support. The Technical Support team will help you configure your identity provider (IdP).
noteIf your organization is not using an IdP, or prefers to use an IdP provided by Veracode, ask Technical Support about using Veracode's Okta instance for SSO.
-
After enabling SAML, users with the Administrator role can do the following:
Configuring your organization identity provider for SAML
While identity provider technologies vary, most require some information about the Veracode Platform to know how to properly construct and forward the SAML assertion. This information should be configured in your identity provider (IdP):
Relaystate URL
https://web.analysiscenter.veracode.com/login/#/saml
Audience URL
Provided on the SAML tab of the Administration screen on the Veracode Platform
Target URL
Provided on the SAML tab of the Administration screen on the Veracode Platform
SAML version supported
2.0
SAML binding supported
HTTP Post
SAML profile supported
IdP-initiated SSO
Associating Veracode SAML attributes with Okta fields
When configuring Okta SSO, you must associate the Veracode SAML attributes with Okta fields. The following table lists attributes from the SAML Certificate section of your Veracode account and the associated Okta fields.
Veracode SAML field | Okta field |
---|---|
SAML Assertion URL | Single Sign On URL |
SAML Audience URL | Audience Restriction |
Relaystate URL | Default Relay State |
Associating Veracode SAML attributes with Azure Entra fields
When configuring Azure Entra (Active Directory) SSO, you must associate the Veracode SAML attributes with Azure Entra fields. The following table lists attributes from the SAML Certificate section of your Veracode account and the associated Azure Entra fields.
Veracode SAML field | Azure Entra field |
---|---|
SAML Assertion URL | Reply URL |
SAML Audience URL | Identifier |
Relaystate URL | Relay State |
Configuring your organization account for SAML
Contact Veracode Technical Support to enable your organization account to use SAML for single sign-on. After enabling SAML for your organization, users with the Administrator role for your organization see a SAML tab on the Administration page.
When you change your SAML settings, ensure you delete the existing certificate and upload a new one before saving your changes.
The SAML tab contains four parameters, two of which are required:
Issuer (required)
Unique identifier of the identity provider that is passed in the assertion in the Issuer
element of the assertion. The issuer in the assertion must match the value in the Veracode Platform to be valid for your organization.
The issuer automatically populates when your organization is activated for SAML. You cannot edit it after it is set.
IdP Server URL (optional)
URL of the identity provider server for your organization. The Veracode Platform attempts to redirect a SAML user to this URL upon timeout, if the URL is provided.
Custom Error Page URL (optional)
Enter a URL here to redirect your users to a custom error page in the event of an authentication error.
Assertion Signing Certificate (required)
Browse to and upload the certificate with which assertions are signed. You see the expiration date for the certificate after you upload it. Users cannot sign in after the certificate expires.
When you change your SAML settings, ensure you delete the existing certificate and upload a new one before saving your changes.
Select Save.
Configure a user for SAML access
Using SAML authentication requires that a user account has a user record in the Veracode Platform.
If you set a SAML assertion for a user who has the Team Admin role, you must also set the teamsmanaged
attribute.
When you set the login type in the Veracode Platform to SAML, you cannot change it back to the password login type.
To complete this task:
- Create a new user or update an existing user using the Administration page in the Veracode Platform, or the Identity API.
- Select SAML in the Login Type field, or set the
saml_user
property totrue
for the Identity API. - Set the SAML Subject field (
saml_subject
in the Identity API) to the value that the SAML assertion passed in to identify the user. This value is usually the user email address or corporate login ID. - When creating a new user, you can also set the user roles and allowed scan types. For example, configure SAML add SSO for accessing Software Composition Analysis (SCA) in the Veracode Platform.
SSO for Microsoft Entra
To integrate SSO access to Veracode for Microsoft Entra (Active Directory) user accounts, see this tutorial.