Team: Huntress EDR
Product: Single sign-on
Environment: Huntress.io and your SSO provider
Summary: Configure SAML 2.0 Single sign-on
Please review the current limitations section of this page before continuing.
Single Sign-On (SSO) can be configured with any compatible SAML 2.0 identity provider ( Google Apps, Okta, Duo, Microsoft 365/Azure AD, AuthPoint, miniOrange, etc.) and will allow Huntress Account users to log in without needing a separate username and password.
In this article
Current Limitations
- Users will need to be added individually to Huntress. Huntress will not 'inherit all users from your SAML provider. If a user from your organization tries to log in and they are not in the Huntress list, they will be provided with a "username/password invalid" error from Huntress.
- You may need to enter your email twice (once on the Huntress SSO page and once on your corporate logon page)
- Users must still accept the Huntress invitation.
- Users must still remember their Huntress password as the password is still required in order to change preferences (such as email address, name or phone number). If they forget their password you'll need to temporarily disable 'SSO enforce', send them a password reset email, once they change their password you can re-enable 'SSO enforce'.
- SAML SSO is only supported for Account-level logins, it is not supported on the Organization-level or Reseller-level. Organization/Reseller users will be required to use username and password.
- If your user account belongs to multiple Huntress accounts SSO will not work for your account. Your email can only be associated with one account for SSO to properly work.
- If a user is part of a Reseller account that has SSO enabled, even if they disable Huntress 2FA, they will still get prompted for the 2FA upon login. The disabling of 2FA is currently enforced only for their "top-level" reseller account and not any individual accounts.
- For SSO enforce - any user with existing 2FA methods will have to remove the 2FA themselves in order to utilize SSO without entering in their 2FA code. They just need to login, go into preferences, then click on the trash can icon to the right of all of their 2FA methods.
Providers not supported:
- Passly is not supported.
- LastPass is not supported for SSO
Links to SAML Setups for Common Providers
Follow the links below on manually creating a SAML app in your provider.
Manual Configuration
Your SAML provider must pass over "emailaddress" as the email address used to log into Huntress.
Huntress Single Sign On (SSO) login should be compatible with all SAMLv2 providers. Below is the minimum information you will need to configure your SAML SSO integration with Huntress.
Identifier: | https://huntress.io/sso/metadata |
Reply URL: | https://huntress.io/sso/auth |
Sign on URL: | https://huntress.io/sso |
You will need to paste the base64 certificate with the beginning and closing statements on the Huntress side.
Attribute Mapping
If you are using a provider other than Microsoft Azure (such as Duo), you may need to do some additional Attribute mappings.
NameID Attribute Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SAML Response Attribute | Identity Provider Attribute |
NameID | <Email Address> |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | <First Name> |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | <Last Name> |
Example mappings in Azure:
Add your provider to Huntress
- Head over to your account settings.
- Click "Setup SAML SSO" (if you are missing the SAML settings, please contact Huntress Support)
- Enter the following information provided by your SAML provider:
- SSO Service [provider] URL
- Entity ID (URL)
- [base64] Certificate
You must paste the entire base64 certificate including the "BEGIN CERTIFICATE" and "END CERTIFICATE" statements.
4. To enforce SSO for all users, switch the “enforce SSO this account” on (please note: all users within the account only be able to login with SSO and no huntress username/password credentials will be available)
- This is what you should see in your account settings page after saving:
Disable Two-Factor Authentication (2FA)
- You may disable Huntress 2FA only if SSO is enabled and enforced on your account. If both conditions are not met, you will not be able to disable 2FA. Note: if 2FA is disabled, this change will allow individual users within the account to disable 2FA.
- When 2FA is disabled, SSO is the default login method for all users. If you have previously used Huntress 2FA, you will need to disable it on a per-user basis. To disable 2FA individual users, user must go the user profile and disable 2FA as seen below. (Profile Preferences > Two-Factor Authentication > Disable)
Step-by-step instructions:
1. Enable SSO and enforce SSO and 2FA is disabled in the setting page. Please make sure you scroll down to the bottom of the page and click "Save". If you navigate away, changes will not be saved
2. Go " Profile Preferences > Two-Factor Authentication" and click "Disable". This will disable 2FA individual users. Ensure you follow the step above (step 1) before this step is completed. Do NOT delete the MFA integration that is already setup (Backup codes, google Authenticator and DUO)
3. Log out and you should be able to SSO without 2FA
Troubleshooting
If you're running into troubles you may need to send the SAML response to Huntress Support in order for us to troubleshoot. This Chrome add-on can help. Firefox add-on also available here.
If you would like to contribute screenshots and setup information for products other than Microsoft Azure and Duo, please submit them to support@huntress.io.
Comments
1 comment
Is there plans to support Passly in the future? Or is there some limitation on Passly's end of things that is preventing this from working with that system?
Please sign in to leave a comment.