Documentation
Start typing to search…

SAML Authentication

This document describes how to configure Security Assertion Markup Language (SAML) authentication for the Censys Platform. After you successfully configure SAML for the Platform, you must complete the configuration for your identity provider (IdP). Censys provides the information you need for your IdP.

SAML for single sign-on (SSO) allows you to use an IdP to manage authentication for organization members.

Censys Platform currently supports SAML via Okta. Support for additional IdPs is coming soon.

Prerequisites

  • Organizational Admins can create, edit, and delete SAML configurations.
  • Organizations must be on the Enterprise tier to use SAML.
  • Organizations can have a maximum of 10 SAML configurations.
  • Each configuration can have a maximum of 10 domains.

Configure SAML authentication in Censys

  1. Go to My Account > Authentication.

  2. Click Set up configuration.

  3. (Optional) Name your SAML configuration in the Configuration Name field.

  4. (Optional) Enable Sign Authentication Requests. This setting defaults to disabled.

    📘

    Note

    Some IdPs require this - you can enable this to increase security. If enabled, Censys digitally signs the SAML authentication request before sending it to the IdP.

  5. In the Identity Provider Information section, you can enter your IdP's Metadata URL and click Populate to automatically populate the required IdP information. You can manually enter this information to the right.

  6. (Optional) Enable Allow IdP-Initiated Login Endpoint. This setting defaults to disabled. Enable this to allow users to log in directly from the IdP portal.

  7. Click Save Configuration.

Service provider information

Service Provider Information contains the details your IdP needs to complete the SAML configuration. Click the icon to the right to copy the value.

Add domain

After you complete the SAML configuration for Censys, you now must add and verify your domain.

📘

Note

Censys periodically verifies that the TXT record is still present in your domain’s DNS. This ensures that your organization maintains control of the domain.

  1. Click Add Domain.

  2. Enter your domain in the Domain Name field and click Input.

  3. The field then populates with the Censys Domain Verification name.

  4. Add the Censys Domain Verification as a TXT record in your domain’s DNS settings. This TXT record is used to verify that you control the domain.

  5. Click Verify to the right of the value. If you submitted a valid domain, Verified is displayed.

👍

Tip

If you receive an error, verify that you entered the correct value into your DNS settings and try again.

Next steps

Now that you configured SAML for Censys, use the information provided in the Service Provider Information section to complete the configuration in your IdP.

Attributes

Censys expects the following attributes from the IdP:

Attribute

Example

email

email

given or first name

given_name, givenname, first_name, firstname

last name

last_name, lastname, sur_name, surname, sn

organization (optional)

organization If unused, Censys uses the email domain. This is not the name of the Platform organization in Censys.

Activate SAML

After you successfully configure SAML in your IdP, you can activate your SAML configurations in Censys. Organizations can have multiple active SAML configurations with multiple domains.

Follow the steps below to activate a SAML Configuration:

  1. Go to My Account > Authentication.

  2. Locate the SAML config you want to activate and toggle the Active/Inactive boolean.

  3. The SAML configuration is now Active.

Post-activation behavior

  • When a user logs in, they use the SAML configuration that supports the domain they are logging in from.
  • After SAML is activated, all users whose email addresses match a verified domain are redirected to the configured (IdP) during log in.

Set up non-SAML admin

Organizations can set up a non-SAML admin user (a user on a domain not configured for SAML) to avoid getting locked out of the account while testing.

To avoid getting locked out while testing SAML:

  • Set up a backup admin account using an email address on a domain not configured for SAML.
  • This non-SAML admin account allows you to bypass SAML login if configuration issues occur.

If you are unable to create a backup admin account, you can open an incognito/in-private browser and log in to test the login.

Updated 5 days ago