• Semgrep AppSec Platform
• Team & Enterprise Tier

Single-sign on (SSO) configuration

Your deployment journey

• You have gained the necessary resource access and permissions required for deployment.
• You have created a Semgrep account and organization.
• For GitHub and GitLab users: You have connected your source code manager.

The only required steps to ensure that users are added to Semgrep AppSec Platform are on the side of the SSO provider. After setting up SSO, users are able to sign in to your Semgrep organizations by entering their SSO credentials.

Semgrep supports SSO through OpenID Connect / OAuth2 and SAML 2.0.

OpenID Connect / OAuth2

To set up SSO:

1. In Semgrep AppSec Platform, click Settings > Access > SSO, and then select Add OpenID SSO.
2. Copy the Redirect URL.
3. Generate a Client ID and Client Secret through your authentication provider and paste them.
4. From your authentication provider, copy the values for Base URL/Domain and Email Domain to Semgrep's Configure SSO: OpenID tab. Base URL/Domain is Okta domain for Okta SSO.
5. Provide a descriptive Display Name.

In case you encounter issues during the setup process, please reach out to support@semgrep.com for assistance.

SAML 2.0

SAML2.0 is configured through Semgrep AppSec Platform.

To set up SSO:

1. From your authentication provider, create the SAML app.
2. From the App Dashboard, click on Settings > Access > SSO
3. Copy the Single sign on URL, and Audience URI. Paste the values as needed in your authentication provider. The Provider ID value will be your organization's slug in Settings > Deployment,
4. From your authentication provider, add in two attribute statements name and email.
5. From your authentication provider, copy your IdP SSO URL, IdP Issuer ID, and X509 Certificate to Semgrep's Configure SSO: SAML tab.
6. Provide a descriptive Display Name.

If you encounter issues during the setup process, reach out to support@semgrep.com for assistance.

Set up SAML SSO with Microsoft Entra ID

Prerequisites

• An existing Microsoft Entra ID account.
• Sufficient permissions within Microsoft Entra ID to create enterprise apps. See Microsoft Entra ID roles.

Setting up SAML SSO using Microsoft Entra ID consists of the following general steps:

1. Create a custom enterprise app within Microsoft Entra ID.
2. Set up SAML SSO for your new enterprise app.
3. Add users to your new enterprise app.

Create a custom enterprise app

1. Sign in to the Microsoft Entra admin center.
2. Use the search bar to find and navigate to enterprise applications.
3. Click New application > Create your own application. A menu appears.
4. Name your new application something like Semgrep SAML.
5. Select Integrate any other application you don't find in the gallery (non-gallery).
6. Click Create. This takes you to your new enterprise application's page.

You have now created a custom enterprise app for Semgrep to integrate with Microsoft Entra ID. This enables you to set up SAML SSO.

Set up SAML SSO for your new enterprise app

1. From your new enterprise app's page, go to Single-sign on > SAML.
2. When prompted to Select a single sign-on method, select SAML. You are redirected to the SAML-based Sign-on page.
3. In the Basic SAML Configuration section, click Edit. Provide the Entity ID and Reply URL. You can retrieve these values from Semgrep AppSec Platform by performing the following steps:
   1. Log in to Semgrep AppSec Platform and navigate to Settings > Access > SSO page.
   2. Click Add SAML2 SSO.
   3. Copy the Audience URL value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add identifier to paste this value as the Identifier (Entity ID).
   4. Copy the SSO URL value from Semgrep AppSec Platform. Return to Basic SAML Configuration. Click Add reply URL to paste this value as the Reply URL (Assertion Consumer Service URL).
4. Click Save and close out of Basic SAML Configuration.
5. In the Attributes and Claims section, click Edit. You must add two claims. To add your first claim:
   1. Click Add new claim.
   2. Enter name in the Name field.
   3. For the Source attribute drop-down box, select user.displayname.
   4. Click Save.
6. To add your second claim:
   1. Click Add new claim.
   2. Enter email in the Name field.
   3. From the Source attribute drop-down box, select user.mail.
   4. Click Save.
7. Close out of Attributes & Claims.
8. Navigate to Semgrep AppSec Platform, and provide the values required by the SAML2 form:
   1. Provide the Display name and the Email domain you are using for the integration.
   2. Copy the Login URL value from Microsoft Entra ID and paste it in into Semgrep AppSec Platform's IDP SSO URL field.
   3. Copy and paste the Microsoft Entra ID Identifier value into Semgrep AppSec Platform's IdP Issuer ID field.
   4. In Entra ID's SAML-based Sign-on page, click Download to obtain the Certificate (Base64).
   5. In Semgrep AppSec Platform, under Upload/Paste certificate, click Browse and then select the certificate you downloaded.
9. Click Save. When prompted to confirm your SSO updates, click Update.

You have now set up SAML configuration between Microsoft Entra ID and Semgrep AppSec Platform.

Add users to your new enterprise app

To add users to the application in so they can log in with their domain emails, refer to Assign users and groups to an application.

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.