Skip to main content
  • Semgrep Cloud Platform
  • Team & Enterprise Tier

Single-sign on (SSO) configuration

Your deployment journey

The only required steps to ensure that users are added to Semgrep Cloud Platform (SCP) are on the side of the SSO provider. After setting up SSO, users are able to sign in to your Semgrep organizations by entering their SSO credentials.

SCP supports SSO through OpenID Connect / OAuth2 and SAML 2.0.

OpenID Connect / OAuth2

To set up SSO:

  1. In SCP, click Settings > Access > SSO, and then select Add OpenID SSO.
  2. Copy the Redirect URL. Finding providerId and RedirectURL via SCP
  3. Generate a Client ID and Client Secret through your authentication provider and paste them. Generating Client ID and Client Secret via the Okta
  4. From your authentication provider, copy the values for Base URL/Domain and Email Domain to Semgrep's Configure SSO: OpenID tab. Base URL/Domain is Okta domain for Okta SSO.
  5. Provide a descriptive Display Name. Providing the Base URL/Domain, Display Name, and Email Domain

In case you encounter issues during the setup process, please reach out to support@semgrep.com for assistance.

SAML 2.0

SAML2.0 is configured through Semgrep Cloud Platform.

To set up SSO:

  1. From your authentication provider, create the SAML app. Creating SAML app through Okta
  2. From the App Dashboard, click on Settings > Access > SSO
  3. Copy the Single sign on URL, and Audience URI. Paste the values as needed in your authentication provider. The Provider ID value will be your organization's slug in Settings > Deployment, Finding Single sign on URL, and Audience URI via SCP
  4. From your authentication provider, add in two attribute statements name and email. Filling in attribute statements in Okta
  5. From your authentication provider, copy your IdP SSO URL, IdP Issuer ID, and X509 Certificate to Semgrep's Configure SSO: SAML tab. Finding IdP SSO URL, IdP Issuer ID, and X509 Certificate through OktaFilling in Idp SSO URL, Idp Issuer ID, and X509 Certificate on Semgrep
  6. Provide a descriptive Display Name. Providing the Base URL/Domain, Display Name, and Email Domain

If you encounter issues during the setup process, reach out to support@semgrep.com for assistance.

Set up SAML SSO with Microsoft Entra ID

Prerequisites
  • An existing Microsoft Entra ID account.
  • Sufficient permissions within Microsoft Entra ID to create enterprise apps. See Microsoft Entra ID roles.

Setting up SAML SSO using Microsoft Entra ID consists of the following general steps:

  1. Create a custom enterprise app within Microsoft Entra ID.
  2. Set up SAML SSO for your new enterprise app.
  3. Add users to your new enterprise app.

Create a custom enterprise app

  1. Sign in to the Microsoft Entra admin center.
  2. Use the search bar to find and navigate to enterprise applications. Microsoft Entra admin center's Enterprise applications screen
  3. Click New application > Create your own application. A menu appears. Create your own application screen
  4. Name your new application something like Semgrep SAML.
  5. Select Integrate any other application you don't find in the gallery (non-gallery).
  6. Click Create. This takes you to your new enterprise application's page.

You have now created a custom enterprise app for Semgrep to integrate with Microsoft Entra ID. This enables you to set up SAML SSO.

Set up SAML SSO for your new enterprise app

  1. From your new enterprise app's page, go to Single-sign on > SAML. Enterprise application's Single-sign on menu option
  2. When prompted to Select a single sign-on method, select SAML. You are redirected to the SAML-based Sign-on page. SAML-based Sign-on screen
  3. In the Basic SAML Configuration section, click Edit. Provide the Entity ID and Reply URL. You can retrieve these values from Semgrep Cloud Platform by performing the following steps:
    1. Log in to Semgrep Cloud Platform and navigate to Settings > Access > SSO page.
    2. Click Add SAML2 SSO.
    3. Copy the Audience URL value from Semgrep Cloud Platform. Return to Basic SAML Configuration. Click Add identifier to paste this value as the Identifier (Entity ID).
    4. Copy the SSO URL value from Semgrep Cloud Platform. Return to Basic SAML Configuration. Click Add reply URL to paste this value as the Reply URL (Assertion Consumer Service URL).
  4. Click Save and close out of Basic SAML Configuration.
  5. In the Attributes and Claims section, click Edit. You must add two claims. To add your first claim:
    1. Click Add new claim.
    2. Enter name in the Name field.
    3. For the Source attribute drop-down box, select user.displayname.
    4. Click Save.
  6. To add your second claim:
    1. Click Add new claim.
    2. Enter email in the Name field.
    3. From the Source attribute drop-down box, select user.mail.
    4. Click Save.
  7. Close out of Attributes & Claims.
  8. Navigate to Semgrep Cloud Platform, and provide the values required by the SAML2 form:
    1. Provide the Display name and the Email domain you are using for the integration.
    2. Copy the Login URL value from Microsoft Entra ID and paste it in into SCP's IDP SSO URL field.
    3. Copy and paste the Microsoft Entra ID Identifier value into SCP's IdP Issuer ID field.
    4. In Entra ID's SAML-based Sign-on page, click Download to obtain the Certificate (Base64).
    5. In Semgrep Cloud Platform, under Upload/Paste certificate, click Browse and then select the certificate you downloaded. SCP's SAML2 configuration screen
  9. Click Save. When prompted to confirm your SSO updates, click Update.

You have now set up SAML configuration between Microsoft Entra ID and Semgrep Cloud Platform.

Add users to your new enterprise app

To add users to the application in so they can log in with their domain emails, refer to Assign users and groups to an application.


Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.