{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition","img"]},"type":"markdown"},"seo":{"title":"Single Sign-On Guide for HiddenLayer AI Security Platform","siteUrl":"https://docs.hiddenlayer.ai","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"single-sign-on-guide-for-hiddenlayer-ai-security-platform","__idx":0},"children":["Single Sign-On Guide for HiddenLayer AI Security Platform"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The HiddenLayer AI Security Platform has SAML application integrations to allow users to use single-sign-on for the Console to streamline the authentication process for their users. The Console supports SAML 2.0 and should work with any provider that supports SAML 2.0."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["MFA is enforced by the configured identity provider (IdP) and is not managed separately by HiddenLayer."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"sso-setup","__idx":1},"children":["SSO Setup"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Administrators can configure the Console login with their single sign-on Identity Provider (IdP)."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the Console, go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings > SSO"]},". The Service Providers Details tab displays the data needed to establish a trusted connection between your IdP and HiddenLayer."]},{"$$mdtype":"Tag","name":"details","attributes":{},"children":[{"$$mdtype":"Tag","name":"summary","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Expand"]},": Service Providers Details tab descriptions"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Assertion Consumer Service (ACS) Callback URL"]},": Endpoint on a service provider (SP) that receives and parses a SAML assertion made by the identity provider (IdP)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Secondary Assertion Consumer Service (ACS) Callback URL"]},": If you do not enable request signature validation in your IdP configuration, this URL is necessary to add as an allowable alternative ACS URL."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Issuer"]},": Unique string that identifies the provider issuing a SAML request."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Metadata URL"]},": Provides SAML metadata information, which can be used to configure the application in the IdP as an SP."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Single Logout (SLO) URL"]},": Single Logout (SLO) is a feature in federated authentication that allows end users to automatically sign out of their IdP session when they end their HiddenLayer session."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Request Signing Certificate"]},": The certificate used to sign SAML requests sent by the SP. If you choose to validate the request signature you will need to upload these contents into your SP."]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After entering the HiddenLayer Service Provider Details into your IdP's integration configuration, take the details provided by your IdP and enter it into the Configure SAML SSO tab."]},{"$$mdtype":"Tag","name":"details","attributes":{},"children":[{"$$mdtype":"Tag","name":"summary","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Expand"]},": Configure SAML SSO tab descriptions"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["IdP SSO URL"]},": The address that an IdP supplies to redirect users for authentication."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Issuer"]},": Entity that manages, creates, and maintains identity information for principals. It also provides authentication services to relying parties."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Managed Domains"]},": Domains that are managed by the IdP."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"b","attributes":{},"children":["Provider Public Certificate"]},": Used to verify the authenticity of requests and messages."]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enable the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Is IdP Initiation Enabled"]}," checkbox to allow your IdP to initiate the SAML v2 flow."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"example-idp-setups","__idx":2},"children":["Example IdP Setups"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This guide provides the following as examples:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#microsoft_entra"},"children":["Microsoft Entra"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#okta"},"children":["Okta"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"microsoft-entra","__idx":3},"children":["Microsoft Entra"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"prerequisites","__idx":4},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before creating an app integration in Microsoft Entra, you need the following information from HiddenLayer Support."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identifier (Entity ID)"]}," - this could be called the Issuer."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Reply URL"]}," - this could be called the ACS or Callback URL."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SP-initiated Callback URL"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"create-enterprise-application","__idx":5},"children":["Create Enterprise Application"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After receiving the SSO information from HiddenLayer, create an Enterprise Application in Azure."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the Azure console, search for and select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Enterprise Applications"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["New application"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create your own application"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter a name for the application. Example: HiddenLayer."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Make sure ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Integrate any other application you don’t find in the gallery (Non-gallery)"]}," is selected."]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_microsoft_entra_create_application.432c9308a7a97b0a611af75439f01fddc51ab7f26e7be683b77c2e49d61ee626.7451bfb6.png","alt":"Single Sign On Microsoft Entra Create Application","withLightbox":true,"width":"500px","align":"center"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create"]},". It may take a few moments to create the application. When the application is created, the Overview page displays."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Expand Manage, then select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Single sign-on"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SAML"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For Basic SAML Configuration, click the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Edit"]}," button."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under Identifier (Entity ID), click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add identifier"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Copy and paste the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Issuer"]}," from HiddenLayer Console (see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"#sso-setup"},"children":["SSO Setup"]}," above)."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under Reply URL (Assertion Consumer Service URL), click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add reply URL"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Copy and paste the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Assertion Consumer Service (ACS) Callback URL"]}," from HiddenLayer into the field."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Make sure Default is selected. When Entra initiates a sign-on, this is the URL to use."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Under Reply URL, click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add reply URL"]}," to add a second URL."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Copy and paste the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Secondary Assertion Consumer Service (ACS) Callback URL"]}," you received from HiddenLayer into the field."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Optional"]},": Configure Sign-on URL (only required for SP-initiated SSO)."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Note"]},": Skip this step if you only plan to use IDP-initiated SSO. SP-initiated flows will fail without a populated Sign-on URL."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For the Sign on URL, enter the SP-initiated Callback URL for your region."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["US region: https://console.us.hiddenlayer.ai/"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["EU region: https://console.eu.hiddenlayer.ai/"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For user-based role assignments, edit the Attributes & Claims. Make sure you are on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Manage > Single sign-on"]}," page for the application."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Attributes & Claims, click the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Edit"]}," button."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add new claim"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name, enter ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["role"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Source attribute, select ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user.assignedroles"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Leave the namespace blank."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_microsoft_entra_attribute_claim.94b7d2ae76fa8af1ce1ef7651547585f7cfa204e1cde25aafa742f2a6b140211.7451bfb6.png","alt":"Microsoft Entra Manage Claim","withLightbox":true,"width":"500px","align":"center"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After the Enterprise Application is created, be sure to assign users or groups to the application."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Go to Microsoft Entra ID."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under Manage, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["App registrations"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Select your HiddenLayer application. You might need to click the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["All applications"]}," tab."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In your HiddenLayer application, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Manage > App roles"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create app role"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create separate app roles for Org Admin, Analyst, and Viewer."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Viewer"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Display name: Viewer"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Allowed member types: Users/Groups"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Value: viewer"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Description: HiddenLayer Viewer Role"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Analyst"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Display name: Analyst"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Allowed member types: Users/Groups"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Value: analyst"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Description: HiddenLayer Analyst Role"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Org Admin"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Display name: Org Admin"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Allowed member types: Users/Groups"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Value: admin"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Description: HiddenLayer Admin Role"]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_microsoft_entra_saml_app_role_admin.0c378bdc0cfa35ba3365d867aa022ce5f450ac4369b773dcc3afeae68ee13da3.7451bfb6.png","alt":"Microsoft Entra SAML App Role Admin","withLightbox":true,"width":"500px","align":"center"},"children":[]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Apply"]}," to save each app role."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Assign your users to these roles, as needed."]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the HiddenLayer Console, copy and paste the following information on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Configure SAML SSO"]}," tab on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings > SSO"]}," page."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["From Set up HiddenLayer (or the name you gave the application):"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Login URL"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Microsoft Entra Identifier"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Logout URL"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["From SAML Certificates:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Certificate (Base64)"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following example images show where to find the above information in the Azure console."]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_microsoft_entra_saml_certificates.f9e3a441841ffa16235fb9ea6c67b656f9df7732f70001c10c550b01b91f1ade.7451bfb6.png","alt":"Microsoft Entra SAML Certificate","withLightbox":true,"width":"500px","align":"center"},"children":[]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"okta","__idx":6},"children":["Okta"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"prerequisites-1","__idx":7},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before creating an app integration in Okta, you need the following information from ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings > SSO > Configure SAML SSO"]}," in the HiddenLayer Console:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Single sign-on URL"]}," - This could be called the Secondary Assertion Consumer Service (ACS) Callback URL."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Audience URI (SP Entity ID)"]}," - This could be called the Issuer."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Signature Certificate"]}," - This could be called the Request Signing Certificate."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"create-app-integration","__idx":8},"children":["Create App Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After receiving the SSO information from HiddenLayer, create an application integration in Okta."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In the Okta console, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Applications > Applications"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Create App Integration"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For Sign-in method, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["SAML 2.0"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Next"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter a name for the integration, then click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Next"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Optionally, upload an icon for the app."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter the SAML settings for the integration."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Single sign-on URL"]}," provided by HiddenLayer."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["This is the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Secondary Assertion Consumer Service (ACS) Callback URL"]},"."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Leave the box checked to “Use this for Recipient URL and Destination URL.”"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Audience URI (SP Entity ID)"]}," provided by HiddenLayer."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["This is ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Issuer"]},"."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Set Name ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["ID format"]}," to “EmailAddress.”"]}]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_okta_saml_settings_general.fe2188870dad862f1e82de2c6438328a9b7223c0ae5714e29bcdba70002e601f.7451bfb6.png","alt":"Single Sign On Okta Settings General","withLightbox":true,"width":"500px","align":"center"},"children":[]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Show Advanced Settings"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Set up SP Request validation by certificate:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Signature Certificate"]},", do the following:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Create a text file with a PEM extension (.pem)."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Copy and paste the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Request Signing Certificate"]}," from the HiddenLayer Console."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Save the PEM file."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Upload the file to Okta."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Signed Requests"]},", check “Validate SAML requests with signature certificates.”"]}]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_okta_saml_settings_signature_certificate.9a01ed06b876fc3333f5caa0cdb22b493d876516f7dbbf92e31e3c632e36963a.7451bfb6.png","alt":"Okta SAML Settings Signature Certificate","withLightbox":true,"width":"500px","align":"center"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Alternative approach: If use of the request signing certificate is not desired for some reason, the service provider can be authenticated by callback URL. To do this, use a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["“Requestable SSO URL”"]}," as follows. (Note this will be disabled if certificate validation is set.)"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For Other ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Requestable SSO URLs"]},", click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add Another"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Other Requestable SSO URL"]}," provided by HiddenLayer."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["This could be called the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Secondary Assertion Consumer Service (ACS) Callback URL"]},"."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enter zero for ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Index"]},"."]}]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_okta_saml_settings_other_url.8c55cb545b3dec27a5af1d266c542fe273dcaa50ee34307686c5ea5ba8e4b6d0.7451bfb6.png","alt":"Okta SAML Settings Other Requestable SSO URL","withLightbox":true,"width":"500px","align":"center"},"children":[]}]}]}]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Next"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Optionally, under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Help Okta support understand how you configured this application"]},", select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["It’s required to contact the vendor to enable SAML"]},". This is not required."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Finish"]},". The app integration is created and the SAML 2.0 settings display."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click on the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Sign On"]}," tab and under SAML 2.0 click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["More details"]},". Copy the following:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Sign on URL"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Issuer"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Signing Certificate"]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/okta-signon-more-details.850f8d930ef52efb9997989e8ed1b8f198542fc941738c080eb031fc624fd324.7451bfb6.png","alt":"Okta Sign On Methods More Details","withLightbox":true,"width":"500px","align":"center"},"children":[]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Paste the above information to the Configure SAML SSO tab on the SSO page in the HiddenLayer Console."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Sign On URL maps to IdP SSO URL"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Issuer maps to Issuer"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Signing Certificate maps to Provider Public Certificate"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Ensure that -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- are present when pasting the certificate"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/okta-signon-more-details-expanded.ba97b1366c4ae315786bd7b14d0d60b1cbda4d015b8dc6b907e41d337629a833.7451bfb6.png","alt":"Okta Sign On Methods Expanded Details","withLightbox":true,"width":"500px","align":"center"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After the Okta app integration is created, be sure to assign users or groups to the app integration."]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"attribute-statements-optional","__idx":9},"children":["Attribute Statements (Optional)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following settings are for Okta attribute statements, which are SAML assertion components used to pass user-specific data (like email or roles) from Okta to a SAML application during authentication."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Attribute Statements (optional)"]},", add a firstName."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name, enter ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["firstname"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name format, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Basic"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Value, select ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user.firstName"]},"."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Attribute Statements (optional)"]},", add a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["lastName"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name, enter ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["lastname"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name format, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Basic"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Value, add the values that match your environment. Example: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user.lastName"]},"."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Attribute Statements (optional)"]},", add an ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["email"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name, enter ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["email"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name format, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Basic"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Value, add the values that match your environment. Example: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user.email"]},"."]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Under Attribute Statements (optional), add ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["Roles"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name, enter ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Roles"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Name format, select ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Basic"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For Value, add ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["appuser.roles"]},"."]}]}]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/okta-attribute-statements.bb160eb7810c2c528bc1e2b77eac13d0a117b0ab85ae39892ee2c79b3d8ece02.7451bfb6.png","alt":"Okta SAML Settings Attribute Statements","withLightbox":true,"width":"500px","align":"center"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"user-profile-configuration-for-rbac","__idx":10},"children":["User Profile Configuration for RBAC"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can configure the HiddenLayer OKTA application to pass all groups for role-based access control (RBAC)."]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Edit the HiddenLayer User Profile in OKTA."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Go to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Directory > Profile Editor"]},", then click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Add Attribute"]},"."]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_okta_profile_editor.e185e961a604961c7c66e100cfd6c8fad1d909e3f6a3dd784a9eff79890c107b.7451bfb6.png","alt":"Okta Profile Editor","withLightbox":true,"width":"500px","align":"center"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Configure the Attribute as follows. Also see the image below. For more information about custom attributes in an Okta user profile, see ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-add-custom-user-attributes.htm","target":"_blank"},"children":["Okta's documentation"]},"."]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Data type: string array"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Display name: Role"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Variable name: role"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Description: HiddenLayer Role"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Enum: Enable ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Define enumerated list of values"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Attribute Members: Add the following ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Display name : Value"]}]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Org Admin : admin"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["User Admin : user-admin"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Analyst : analyst"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Viewer : viewer"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Attribute required: Yes"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Attribute type: Group"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Group Priority: ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Combine values across groups"]}]}]}]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_okta_profile_editor_add_attribute.d95c45158930929430828191001f4025c45d50bab931a2c032e081e0dba67745.7451bfb6.png","alt":"Okta Profile Editor Add Attribute","withLightbox":true,"width":"500px","align":"center"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Save"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Assign groups to the Application."]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_okta_profile_editor_assign_group.1e2c5ab5b3fea9647d9f56b10a8ef70cd7de2986843527c987f56d5ec3276961.7451bfb6.png","alt":"Okta Profile Editor Assign Groups to Application","withLightbox":true,"width":"500px","align":"center"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Specify the HiddenLayer Role to assign to the group."]},{"$$mdtype":"Tag","name":"Image","attributes":{"src":"/assets/sso_okta_profile_editor_assign_hiddenlayer.694dabe3167a48ed89f1d99ef78b291316679c3d3721206c5488f951a80d06b2.7451bfb6.png","alt":"Okta Profile Editor HiddenLayer Role Assign to Group","withLightbox":true,"width":"500px","align":"center"},"children":[]}]}]}]},"headings":[{"value":"Single Sign-On Guide for HiddenLayer AI Security Platform","id":"single-sign-on-guide-for-hiddenlayer-ai-security-platform","depth":1},{"value":"SSO Setup","id":"sso-setup","depth":2},{"value":"Example IdP Setups","id":"example-idp-setups","depth":2},{"value":"Microsoft Entra","id":"microsoft-entra","depth":3},{"value":"Prerequisites","id":"prerequisites","depth":4},{"value":"Create Enterprise Application","id":"create-enterprise-application","depth":4},{"value":"Okta","id":"okta","depth":3},{"value":"Prerequisites","id":"prerequisites-1","depth":4},{"value":"Create App Integration","id":"create-app-integration","depth":4},{"value":"Attribute Statements (Optional)","id":"attribute-statements-optional","depth":4},{"value":"User Profile Configuration for RBAC","id":"user-profile-configuration-for-rbac","depth":4}],"frontmatter":{"seo":{"title":"Single Sign-On Guide for HiddenLayer AI Security Platform"}},"lastModified":"2026-06-24T16:43:48.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/docs/products/console/single_sign_on","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}