You can enable users in your organization to use single sign-on and configure SAML access for users.
The Veracode Platform supports single sign-on (SSO) using the SAML 2.0 standard. To enable SAML on the Veracode Platform for your organization, you must request it in an email to Veracode Technical Support at [email protected]. After enabling their organization to use SSO with SAML, Veracode users with the Administrator role can configure their organization account and user accounts for single sign-on. Required information for configuring the organization identity provider to work with Veracode is also provided.
What is SAML?
SAML (Security Assertion Markup Language) is an open standard for performing single sign-on across security domains, for example, from an organization to a cloud service such as Veracode. SSO with SAML usually works as follows:
- You click a link to Veracode on your corporate intranet site.
- Browser forwards a SAML assertion to Veracode. The assertion is a digitally-signed XML document that attests to your identity.
- Veracode checks the validity of the assertion by verifying the digital signature and the expiration date, then compares the information in the assertion to the list of users in the organization account.
- If the assertion is valid and you match a known Veracode user, you continue to the Veracode Platform.
For more information about SAML, see these:
Configuring Your Organization Identity Provider for SAML
While identity provider technologies vary, most require some information about the Veracode Platform to know how to properly construct and forward the SAML assertion. The following information may be required by your identity provider:
- SAML Assertion Consumer Service (ACS) URL
- The SAML ACS domain for your region
- Unique identifier for the service provider. Veracode recommends using the SAML entity ID URL for your region.
- SAML version supported
- SAML binding supported
- HTTP Post
- SAML profile supported
- IdP initiated SSO
- Target resource
- Veracode does not support target resources.
Configuring Your Organization Account for SAML
Contact Veracode Technical Support to enable your organization account to use SAML for single sign-on. After enabling SAML for your organization, users with the Administrator role for your organization see a SAML tab on the Administration page.
The SAML tab contains four parameters, two of which are required:
- Issuer (required)
- Unique identifier of the identity provider that is passed in the assertion in the Issuer element of the assertion. The issuer in the assertion must match the value in the Veracode Platform to be valid for your organization.
- IdP Server URL (optional)
- URL of the identity provider server for your organization. The Veracode Platform attempts to redirect a SAML user to this URL upon timeout, if the URL is provided.
- Custom error page URL (optional)
- Enter a URL here to redirect your users to a custom error page in the event of an authentication error.
- Assertion Signing Certificate (required)
- Browse to and upload the certificate with which assertions are signed.Note: When you change your SAML settings, make sure you delete the existing certificate and upload a new one before saving your changes.
Configuring a User for SAML Access
Using SAML authentication requires that a user account has a user record in the Veracode Platform.
- Create a new user using the Administration page in the Veracode Platform, or the createuser.do call.
- Select SAML in the Login Type field, or set the is_saml_user parameter in the createuser.do API call.
- Set the SAML Subject field (custom_id in the Admin API) to the value that the SAML assertion passed in to identify the user. This value is usually the user email address or corporate login ID.
- When creating a new user, you can also set the user roles and allowed scan types.
To modify an existing user for SAML access:
- Select SAML in the Login Type field.
- Enter a value in the SAML Subject field.