Skip to main content

SAML SSO for the Huntress Portal

Tyler
  • Updated

Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Single sign-on
Environment: Huntress.io and your SSO provider
Summary: Configure SAML 2.0 Single sign-on 

Please review the current limitations section of this page before continuing. 

Single Sign-On (SSO) can be configured with any compatible SAML 2.0 identity provider ( Google Apps, Okta, Duo, Microsoft 365/Azure AD, AuthPoint, miniOrange, etc.) and will allow Huntress Account users to log in without needing a separate username and password.

 

In this article

 

Current Limitations

  • Users will need to be added individually to Huntress. Huntress will not inherit all users from your SAML provider. If a user from your organization tries to log in and is not on the Huntress list, they will receive a "username/password invalid" error from Huntress. 
  • You may need to enter your email twice (once on the Huntress SSO page and once on your corporate logon page)
  • Users must still accept the Huntress invitation. 
  • Users must still remember their Huntress password as the password is still required in order to change preferences (such as email address, name or phone number). If they forget their password you'll need to temporarily disable 'SSO enforce', send them a password reset email, once they change their password you can re-enable 'SSO enforce'.
  • SAML SSO is only supported for Account-level logins, it is not supported on the Organization-level or Reseller-level. Organization/Reseller users will be required to use username and password.
  • Users with SAML SSO will not be able to be added to other accounts or orgs that don't have SAML SSO set up with the same SSO/SAML Provider. For cases like this, we suggest using email aliases to set up access to accounts without SAML SSO, and keep the primary email as access to SAML SSO accounts. If you run into an error adding a user to another account that utilizes the same SAML provider, reach out to support, and we can work with engineering to manually configure these on the backend. 
  • A user can be associated with multiple Huntress accounts with SSO enable. However, only a single SSO configuration is allowed for an account.
  • Enabling SSO in an account not previously configured for SSO will be prohibited for a Huntress account if there are users associated with multiple Huntress accounts. 
  • For SSO enforce: Do not delete any existing 2FA settings on the individual account levels after disabling it at the overall account level. Users should use the "Disable" option for SSO enforce to go into effect to avoid additional 2FA prompts from Huntress.
  • If you are unable to edit your email in the User's Preference page (greyed out), please make sure that SSO is not Enforced. If it is Enforced, disable the enforcement to edit your email address in the User's Preference page. You DO NOT need to disable SSO entirely, just the enforcement.

 

Providers not supported:

  • Passly is not supported.
  • LastPass is not supported for SSO

Links to SAML Setups for Common Providers

Follow the links below on manually creating a SAML app in your provider.

Manual Configuration

Your SAML provider must pass over "emailaddress" as the email address used to log into Huntress. 

Huntress Single Sign On (SSO) login should be compatible with all SAMLv2 providers. Below is the minimum information you will need to configure your SAML SSO integration with Huntress. 

Identifier: https://huntress.io/sso/metadata
Reply URL: https://huntress.io/sso/auth
Sign on URL: https://huntress.io/sso

You will need to paste the base64 certificate with the beginning and closing statements on the Huntress side.


Attribute Mapping

If you are using a provider other than Microsoft Azure (such as Duo), you may need to do some additional Attribute mappings. 

NameID Attribute Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

SAML Response Attribute  Identity Provider Attribute
NameID <Email Address>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname <First Name>
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname <Last Name>

Example mappings in Azure:

mceclip0.png

mceclip1.png

 


Add your provider to Huntress

  1. Head over to your account settings. 
  2. Click "Setup SAML SSO" (if you are missing the SAML settings, please contact Huntress Support)
     
  3. Enter the following information provided by your SAML provider:mceclip1.png
  • SSO Service [provider] URL
  • Entity ID (URL)
  • [base64] Certificate
    You must paste the entire base64 certificate including the "BEGIN CERTIFICATE" and "END CERTIFICATE" statements.

 4. To enforce SSO for all users, switch the “enforce SSO this account” on (please note: all users within the account only be able to login with SSO and no huntress username/password credentials will be available)

  1. This is what you should see in your account settings page after saving: 

mceclip1.png

 

 

Disable Two-Factor Authentication (2FA)

- You may disable Huntress 2FA only if SSO is enabled and enforced on your account. If both conditions are not met, you will not be able to disable 2FA. Note: if 2FA is disabled, this change will allow individual users within the account to disable 2FA.

- When 2FA is disabled, SSO is the default login method for all users. If you have previously used Huntress 2FA, you will need to disable it on a per-user basis. To disable 2FA individual users, user must go the user profile and disable 2FA as seen below. (Profile Preferences > Two-Factor Authentication > Disable)

 

Step-by-step instructions:

1. Enable SSO and enforce SSO and 2FA is disabled in the setting page. Please make sure you scroll down to the bottom of the page and click "Save". If you navigate away, changes will not be saved

mceclip2.png

2. Go " Profile Preferences > Two-Factor Authentication" and click "Disable". This will disable 2FA individual users. Ensure you follow the step above (step 1) before this step is completed. Do NOT delete the MFA integration that is already setup (Backup codes, google Authenticator and DUO)

 

mceclip1.png

3. Log out and you should be able to SSO without 2FA

 

SSO Enforcement Bypass Users 

In SSO settings, there is now an option to add users to a bypass list for SSO, this is intended for breakglass user accounts. 

Please Note: If you are using SSO Enforcement Bypass Users, 2FA will still need to be enabled on the account in order for this to work, we'd generally suggest to disable 2FA after SSO is set up.

 

 

Troubleshooting


If you're running into troubles you may need to send the SAML response to Huntress Support in order for us to troubleshoot. This Chrome add-on can help. Firefox add-on also available here.

If you would like to contribute screenshots and setup information for products other than Microsoft Azure and Duo, please submit them to support@huntress.io
 

Related articles