Sso Configuration

Set up Single Sign-On for your organization. --- SSO enables: - Single authentication source - Centralized user management - Enhanced security - Compliance...

Last updated: January 14, 2026

SSO Configuration

Set up Single Sign-On for your organization.

Overview

SSO enables:

  • Single authentication source
  • Centralized user management
  • Enhanced security
  • Compliance alignment

Supported Providers

SAML 2.0

  • Okta
  • Azure AD
  • Google Workspace
  • OneLogin
  • Ping Identity
  • Any SAML 2.0 compliant IdP

OpenID Connect

  • Okta
  • Azure AD
  • Auth0
  • Keycloak

General Setup Process

1. Gather Information

From BlockSecOps (provided by your CSM):

  • SP Entity ID
  • ACS URL (Assertion Consumer Service)
  • Metadata URL

From Your IdP:

  • IdP Entity ID
  • SSO URL
  • Certificate
  • Metadata URL (if available)

2. Configure IdP

Add BlockSecOps as application in your IdP.

3. Configure BlockSecOps

Provide IdP details to BlockSecOps.

4. Test

Verify SSO works with test users.

5. Enable

Roll out to organization.

Okta Configuration

Step 1: Create App in Okta

  1. Admin Console → Applications → Create
  2. Select SAML 2.0
  3. Name: "BlockSecOps"
  4. Click Next

Step 2: SAML Settings

Single Sign On URL: https://app.blocksecops.com/sso/saml/acs
Audience URI: https://app.blocksecops.com/sso/saml/metadata
Name ID format: EmailAddress
Application username: Email

Step 3: Attribute Statements

Name Value
email user.email
firstName user.firstName
lastName user.lastName

Step 4: Get Metadata

  1. Go to Sign On tab
  2. Copy Identity Provider metadata URL

Step 5: Send to BlockSecOps

Provide metadata URL to your CSM or:

  1. Go to SettingsSSO
  2. Enter IdP metadata URL
  3. Save

Azure AD Configuration

Step 1: Create App

  1. Azure Portal → Azure AD → Enterprise Applications
  2. New ApplicationCreate your own
  3. Name: "BlockSecOps"
  4. Select SAML

Step 2: Basic SAML Configuration

Identifier (Entity ID): https://app.blocksecops.com/sso/saml/metadata
Reply URL (ACS URL): https://app.blocksecops.com/sso/saml/acs
Sign on URL: https://app.blocksecops.com/login

Step 3: Attributes & Claims

Claim Source Attribute
emailaddress user.mail
givenname user.givenname
surname user.surname

Step 4: Download Certificate

  1. SAML Signing Certificate section
  2. Download Certificate (Base64)

Step 5: Copy URLs

From Set up BlockSecOps:

  • Login URL
  • Azure AD Identifier

Step 6: Send to BlockSecOps

Provide:

  • Login URL
  • Azure AD Identifier
  • Certificate file

Google Workspace

Step 1: Create SAML App

  1. Admin Console → Apps → Web and mobile apps
  2. Add AppAdd custom SAML app
  3. Name: "BlockSecOps"

Step 2: Google IdP Information

Copy:

  • SSO URL
  • Entity ID
  • Certificate

Step 3: Service Provider Details

ACS URL: https://app.blocksecops.com/sso/saml/acs
Entity ID: https://app.blocksecops.com/sso/saml/metadata
Start URL: https://app.blocksecops.com/login
Name ID format: EMAIL
Name ID: Basic Information > Primary email

Step 4: Attribute Mapping

Google Directory App Attribute
Primary email email
First name firstName
Last name lastName

Step 5: Enable and Assign

  1. Turn ON for everyone (or specific OUs)
  2. Save

SCIM Provisioning

Overview

SCIM enables automatic:

  • User provisioning
  • User deprovisioning
  • Group sync

Configuration

SCIM Endpoint:

https://api.blocksecops.com/scim/v2

Authentication:

  • Bearer token (provided by BlockSecOps)

Supported Operations

Operation Supported
Create users Yes
Update users Yes
Deactivate users Yes
Create groups Yes
Update groups Yes

Testing SSO

Test Users

  1. Create test user in IdP
  2. Assign to BlockSecOps app
  3. Test login via IdP
  4. Verify account created correctly

Checklist

  • User can log in via IdP
  • User attributes populated correctly
  • User gets correct role
  • Logout works correctly
  • Session timeout works

Enforcing SSO

Require SSO for All Users

Once tested:

  1. Go to SettingsSSO
  2. Enable Require SSO
  3. Save

Effects:

  • Direct login disabled
  • All users must use SSO
  • Existing sessions terminated

Exceptions

Some accounts may need exceptions:

  • Service accounts
  • Break-glass admin
  • API-only access

Configure in SSO Exceptions list.

Troubleshooting

"SSO Authentication Failed"

  1. Check IdP user is assigned to app
  2. Verify user is in correct group
  3. Check IdP session is valid
  4. Review IdP logs

"User Not Found"

  1. Verify email attribute mapping
  2. Check user exists in IdP
  3. Verify SCIM sync (if using)

"Invalid SAML Response"

  1. Check certificate hasn't expired
  2. Verify entity IDs match
  3. Check clock sync (< 5 min drift)
  4. Review SAML response

Getting Help

Contact your CSM with:

  • IdP type and version
  • Error message
  • SAML response (if available)
  • Steps to reproduce

Security Best Practices

IdP Security

  • Enable MFA in IdP
  • Regular access reviews
  • Monitor login anomalies
  • Rotate certificates annually

BlockSecOps Security

  • Enable SSO enforcement
  • Minimal exception list
  • Regular audit log review
  • API key management

Next Steps