Skip to main content

Single-sign on (SSO) configuration

Your deployment journey

This article walks you through single-sign on (SSO) configuration. Semgrep supports SSO through OpenID Connect / OAuth 2.0 and SAML 2.0.

OpenID Connect / OAuth 2.0

warning

Semgrep AppSec Platform does not support using OpenID with Microsoft Entra ID. Follow the instructions for setting up SAML SSO with Microsoft Entra ID instead.

To set up SSO in Semgrep AppSec Platform:

  1. Sign in to Semgrep AppSec Platform.
  2. Navigate to Settings > Access > Login methods.
  3. Click Add SSO configuration and select OpenID SSO.
  4. Provide a Display name and the Email domain.
  5. Copy the Redirect URL, and provide it to your authentication provider. SSO configuration form displaying the redirect URL
  6. Generate a Client ID and Client Secret through your authentication provider and paste these values into Semgrep. Generating Client ID and Client Secret via the Okta
  7. From your authentication provider, copy the Base URL value, and provide it to Semgrep. For example, if you're using Okta SSO, the base URL is the Okta domain.
  8. Optional: provide the following values from your authentication provider if necessary:
    • Well Known URL
    • Authorize URI
    • Token URI
    • Userinfo URI
  9. Click Save to proceed.

If you encounter issues during the setup process, please reach out to support@semgrep.com for assistance.

SAML 2.0

SAML2.0 is configured through Semgrep AppSec Platform. To set up SSO:

  1. Create a SAML app with your authentication provider. Creating SAML app through Okta
  2. With your authentication provider, add in two attribute statements: name and email. Filling in attribute statements in Okta
  3. Sign in to Semgrep AppSec Platform.
  4. Navigate to Settings > Access > Login methods.
  5. Click Add SSO configuration and select SAML2 SSO.
  6. Provide a Display name and the Email domain.
  7. Copy the SSO URL and Audience URL (SP Entity ID), and provide it to your authentication provider. Finding Single sign on URL, and Audience URI via Semgrep AppSec Platform
  8. From your authentication provider, copy your IdP SSO URL and IdP Issuer ID values, and download the X509 Certificate. Finding IdP SSO URL, IdP Issuer ID, and X509 Certificate through Okta
  9. Return to Semgrep AppSect Platform, and paste the IdP SSO URL and IdP Issuer ID values, and upload your X509 Certificate. Filling in IdP SSO URL, IdP Issuer ID, and X509 Certificate on Semgrep
  10. Select the box next to This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin) if applicable.
  11. Click Save to proceed.

If you encounter issues during the setup process, reach out to support@semgrep.com for assistance.

Set up SAML SSO with Microsoft Entra ID

Prerequisites
  • An existing Microsoft Entra ID account.
  • Sufficient permissions within Microsoft Entra ID to create enterprise apps. See Microsoft Entra ID roles.

Setting up SAML SSO using Microsoft Entra ID consists of the following general steps:

  1. Create a custom enterprise app within Microsoft Entra ID.
  2. Set up SAML SSO for your new enterprise app.
  3. Add users to your new enterprise app.

Create a custom enterprise app

  1. Sign in to the Microsoft Entra admin center.
  2. Use the search bar to find and navigate to enterprise applications. Microsoft Entra admin center's Enterprise applications screen
  3. Click New application > Create your own application. A menu appears. Create your own application screen
  4. Name your new application something like Semgrep SAML.
  5. Select Integrate any other application you don't find in the gallery (non-gallery).
  6. Click Create. This takes you to your new enterprise application's page.

You have now created a custom enterprise app for Semgrep to integrate with Microsoft Entra ID. This enables you to set up SAML SSO.

Set up SAML SSO for your new enterprise app

  1. From your new enterprise app's page, go to Single-sign on > SAML. Enterprise application's Single-sign on menu option
  2. When prompted to Select a single sign-on method, select SAML. You are redirected to the SAML-based Sign-on page. SAML-based Sign-on screen
  3. In the Basic SAML Configuration section, click Edit. Provide the Entity ID and Reply URL. You can retrieve these values from Semgrep AppSec Platform by performing the following steps:
    1. Sign in to Semgrep AppSec Platform.
    2. Navigate to Settings > Access > Login methods.
    3. Click Add SSO configuration and select SAML2 SSO.
    4. Copy the Audience URL (SP Entity ID) value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add identifier to paste this value as the Identifier (Entity ID).
    5. Copy the SSO URL value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add reply URL to paste this value as the Reply URL (Assertion Consumer Service URL).
  4. Click Save and close out of Basic SAML Configuration.
  5. In the Attributes and Claims section, click Edit. You must add two claims. To add your first claim:
    1. Click Add new claim.
    2. Enter name in the Name field.
    3. For the Source attribute drop-down box, select user.displayname.
    4. Click Save.
  6. To add your second claim:
    1. Click Add new claim.
    2. Enter email in the Name field.
    3. From the Source attribute drop-down box, select user.mail.
    4. Click Save.
  7. Close out of Attributes & Claims.
  8. Navigate to Semgrep AppSec Platform, and provide the values required by the SAML2 form:
    1. Provide the Display name and the Email domain you are using for the integration.
    2. Copy the Login URL value from Microsoft Entra ID and paste it in into Semgrep AppSec Platform's IDP SSO URL field.
    3. Copy and paste the Microsoft Entra ID Identifier value into Semgrep AppSec Platform's IdP Issuer ID field.
    4. In Entra ID's SAML-based Sign-on page, click Download to obtain the Certificate (Base64).
    5. In Semgrep AppSec Platform, under Upload/Paste certificate, click Browse and then select the certificate you downloaded. Semgrep AppSec Platform's SAML2 configuration screen
  9. Select the box next to This SSO supports non-password authentication mechanisms (e.g. MFA, X509, PasswordLessPhoneSignin) if applicable.
  10. Click Save to proceed.

Add users to your new enterprise app

To add users to the application in so they can log in with their domain emails, refer to Assign users and groups to an application.

Turn off sign in with GitHub / GitLab

If you have SSO enabled, you can turn off login using GitHub or GitLab credentials. Doing so forces members of your organization to log in using an email address with an approved domain.

  1. Sign in to your Semgrep account.
  2. Navigate to Settings > Access > Login methods.
  3. GitHub users: Click the GitHub SSO toggle to turn off logins using GitHub.
  4. GitLab users: Click the GitLab SSO toggle to turn off logins using GitLab.
warning

Ensure that you have at least one user who can log in through SSO before disabling sign in with GitHub or GitLab.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.