Introduction

Triage Private Cloud supports SAML authentication to enable SSO for your organization. This document describes the steps required to enable SAML authentication. Only Service Provider initiated SSO is supported at this time.

Prerequisites

You need the following from Hatching to start with enabling SAML authentication. Need them? Request the enabling of SAML by contacting support@hatching.io.

• Single Sign on URL
• Service Provider Entity ID URL

Adding Triage to your identity provider

Triage supports SAML-SSO from Okta, Google and Microsoft Azure. Be sure to let us know if you want us to support other identity providers.

Setting up SAML-SSO consists of two steps on your side:

Step one

• Initial configuration, setting the corrects paths/URLs, which will be supplied by Hatching International B.V. Did not receive any paths? Please contact support at support@hatching.io

Step two:

• Finishing touch, requires you to contact support and enable SAML authentication and send us a metadata URL or file. After this, SSO should be working correctly within your organization.

We support the following providers, pick the one that is relevant to your organization.

• Okta
• Microsoft Azure
• Google

Okta

1. Login to Okta and click on "Applications" and click "Create App Integration".

   
   
   

2. Select the "SAML 2.0" option and click on Next.

   
   
   

3. Choose an app name for Triage within your organization and click on Next.

   
   
   

4. This step requires the details that are referenced in Prerequisites.
   
   Retrieve the Single sign on URL and Service Provider Entity ID from the Hatching support mail.
   
   Fill both fields with their respected value according to the email. Make sure that "Use this for Recipient URL and Destination URL" is selected.
   
   Click "Show Advanced Settings" and proceed to step 5.

   
   
   

5. Normally the advanced settings are correct by default, but please verify the data shown with this screenshot to prevent any issues later on.

1. Add the following attributes:

Attribute name	Value	Name format	Friendly name
email	user.email	Unspecified	Email
firstName	user.firstName	Unspecified	First name
lastName	user.lastName	Unspecified	Last name

1. Click "Preview the SAML Assertion" and save the output to a text file. This file can speed up the support process if any issues arise. Click on Next.

1. Select "I'm an Okta customer adding an internal app" and check the "It's required to contact the vendor to enable SAML" box. Click Finish. This will reroute you to the application page.

   
   
   

2. Proceed by clicking on "Identity Provider metadata" and copy the url out of the address bar.
   
   Compose a new email to support@hatching.io with a request to enable SAML authentication and include the copied URL to the metadata file.
   
   

   
   
   

Microsoft Azure

1. Login to Microsoft Azure, open the menu and search for "Azure Active Directory" and click it.

   
   
   

2. Click "Add" and select "Enterprise application".

   
   
   

3. Click on "Create your own application".

   
   
   

4. Choose a name for the app (Triage), and select the "Non-gallery" option.

   
   
   

5. Select "Set up single sign on".

   
   
   

6. Select "SAML".

   
   
   

7. A settings menu will be shown. In this menu all the SAML details will be filled from now on. The details provided by email from Hatching support are required in this step as mentioned in Prerequisites. Click on "Edit".

   
   

8. First, fill in the received Service Provider Entity ID at "Identifier (Entity ID)" (dot 1), make sure to check it as default (dot 2).
   
   Second, the received Single Sign on URL should be placed in the "Reply URL" field ( dot 3).
   
   Finally, hit Save (dot 4). After saving, you can hit the X not shown in the screenshot and click Edit at step 2, "Attributes & Claims".

1. First add the attribute "email" and select "user.mail" as its value. Next, add the attribute "displayname" and select "user.displayname" as its value.

1. Proceed by clicking on "App Federation Metadata Url" and copy the URL. Compose a new email to support@hatching.io with a request to enable SAML authentication and include the copied URL to the metadata file.
   
   

   
   
   

Google

Google is different compared to other providers, as they do not provide an easy link to the metadata file outside the organization. This requires an email to Hatching support support@hatching.io with the metadata file as an attachment. Make sure to include that this is about Google SAML activation.

1. Login to Google Admin Console and select "Web and mobile apps".

   
   
   

2. Click on "Add app" and select "Add custom SAML app"

   
   
   

3. Download the metadata file, the file is needed at the last step.

   
   
   

4. Fill in the details as supplied by Hatching as mentioned in the prerequisites. Add the Single Sign on URL to "ACS URL" and Service Provider Entity ID to "Entity ID".
   
   Set "Name ID Format" to "EMAIL" and "Name ID" to "Basic Information > Primary mail". Click Continue.

   
   
   

5. In the "Attributes" menu, add an attribute of type "Primary email" with the value "Email". Click Finish.
   
   Compose a new email to support@hatching.io with a request to enable SAML authentication and attach the metadata file downloaded earlier.