Skip to main content

Single-sign on (SSO) configuration

Your deployment journey

This article walks you through single-sign on (SSO) configuration. Semgrep supports SSO through OpenID Connect / OAuth 2.0 and SAML 2.0.

After setting up SSO, users are provisioned and managed on your IdP. Semgrep grants access to the deployment to any user at the configured domain who logs in and has the correct permissions in the IdP.

OpenID Connect / OAuth 2.0

Microsoft Entra ID

Semgrep AppSec Platform does not support using OpenID with Microsoft Entra ID. Follow the instructions to set up SAML SSO with Microsoft Entra ID instead.

To set up SSO in Semgrep AppSec Platform:

  1. Sign in to Semgrep AppSec Platform.
  2. Navigate to Settings > Access > Login methods.
  3. Click Add SSO configuration and select OpenID SSO.
  4. Provide a Display name and the Email domain.
  5. Copy the Redirect URL, and provide it to your authentication provider. SSO configuration form displaying the redirect URL
  6. Generate a Client ID and Client Secret through your authentication provider and paste these values into Semgrep. Generating Client ID and Client Secret via the Okta
  7. From your authentication provider, copy the Base URL value, and provide it to Semgrep. For example, if you're using Okta SSO, the base URL is the Okta domain.
  8. Optional: provide the following values from your authentication provider if necessary:
    • Well Known URL
    • Authorize URI
    • Token URI
    • Userinfo URI
  9. Click Save to proceed.

If you encounter issues during the setup process, please reach out to support for assistance.

SAML 2.0

Google Workspace SAML

If you're using Google Workspace SAML, see SAML Single Sign-on with Google Workspace for specific guidance.

SAML2.0 is configured through Semgrep AppSec Platform. To set up SSO:

  1. Create a SAML app with your authentication provider. Creating SAML app through Okta
  2. With your authentication provider, add in two attribute statements: name and email. Filling in attribute statements in Okta
  3. Sign in to Semgrep AppSec Platform.
  4. Navigate to Settings > Access > Login methods.
  5. Click Add SSO configuration and select SAML2 SSO.
  6. Provide a Display name and the Email domain.
  7. Copy the SSO URL and Audience URL (SP Entity ID), and provide it to your authentication provider. Finding Single sign on URL, and Audience URI via Semgrep AppSec Platform
  8. From your authentication provider, copy your IdP SSO URL and IdP Issuer ID values, and download the X509 Certificate. Finding IdP SSO URL, IdP Issuer ID, and X509 Certificate through Okta
  9. Return to Semgrep AppSec Platform, and paste the IdP SSO URL and IdP Issuer ID values, and upload your X509 Certificate. Filling in IdP SSO URL, IdP Issuer ID, and X509 Certificate on Semgrep
  10. Select the box next to This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin) if applicable.
  11. Click Save to proceed.

If you encounter issues during the setup process, reach out to support for assistance.

Admin and org owner accounts

By default, Semgrep creates new SSO accounts with the Member role assigned. You can change the default role assigned to a new user by going to Settings > Access.

If you're an admin setting up SSO, and Semgrep creates an SSO account for you with the role of Member, you can elevate the permissions granted to your SSO account. To do so, log in to Semgrep with your admin account using the original login method, then change the role of your newly created SSO account to Admin.

Turn off sign in with GitHub / GitLab

If you have SSO enabled, you can turn off login using GitHub or GitLab credentials. Doing so forces members of your organization to log in using an email address with an approved domain.

  1. Sign in to your Semgrep account.
  2. Navigate to Settings > Access > Login methods.
  3. GitHub users: Click the GitHub SSO toggle to turn off logins using GitHub.
  4. GitLab users: Click the GitLab SSO toggle to turn off logins using GitLab.
warning

Ensure that you have at least one user who can log in through SSO before disabling sign in with GitHub or GitLab.

See also


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.