Using Single Sign-On with SAML

Administration Guide

The Veracode Platform supports single sign-on (SSO) using the SAML 2.0 standard. To enable SAML on the Veracode Platform for your organization, you must request it in an email to Veracode Technical Support at support@veracode.com. After enabling their organization to use SSO with SAML, Veracode users with the Administrator role can configure their organization's account and user accounts for single sign-on. Required information for configuring the organization's identity provider to work with Veracode is also provided.

Once you enable SAML single sign-on, you can take advantage of other capabilities like SAML-based user self-registration.

What is SAML?

SAML (Security Assertion Markup Language) is an open standard for performing single sign-on across security domains, for example, from an organization to a cloud service such as Veracode. SSO with SAML usually works as follows:

  1. A user clicks a link to Veracode on their corporate intranet site.
  2. The user's browser forwards a SAML assertion (digitally signed XML attesting to the user's identity) to Veracode.
  3. Veracode checks the validity of the assertion by verifying the digital signature and the expiration date, then compares the information in the assertion to the list of users in the customer's account.
  4. If the assertion is valid and the user matches a known Veracode user, the user is forwarded to the Veracode Platform.
Veracode has implemented the portions of the SAML standard that manages authentication. A user must still be provisioned with Veracode to be able to use the service. The best way to automate provisioning large numbers of users is to leverage the Admin API.

For more information about SAML, see the following:

Configuring Your Organization's Identity Provider for SAML

While identity provider technologies vary, most require some information about the Veracode Platform to know how to properly construct and forward the SAML assertion. The following information may be required by your identity provider:

SAML Assertion Consumer Service (ACS) URL
https://analysiscenter.veracode.com/saml
EntityID
A unique identifier for the service provider. Veracode recommends using https://analysiscenter.veracode.com/saml.
SAML version supported
2.0
SAML binding supported
HTTP Post
SAML profile supported
IdP initiated SSO
Target resource
Veracode does not support target resources.

Configuring Your Organization's Account for SAML

Contact Veracode Support to enable your organization's account to use SAML for single sign-on. Once your organization's account is SAML-enabled, users with the Administrator role for your organization can see a new SAML tab on the Administration page.

In the SAML tab, there are four parameters to set, two of which are required:

Issuer (required)
The issuer is the unique identifier of the identity provider that is passed in the assertion in the Issuer element of the assertion. The issuer in the assertion must match the value in the Veracode Platform to be valid for your organization.
IdP Server URL (optional)
The IdP Server URL is the URL of the identity provider server for your organization. The Veracode Platform attempts to redirect a SAML user to this URL upon timeout, if the URL is provided
Custom error page URL (optional)
Enter a URL here if there is a custom error page (hosted in your environment) to which you want your users to be redirected in the event of an authentication error.
Assertion Signing Certificate (required)
Browse to and upload the certificate with which assertions are signed.

Click Save to save changes to the SAML settings.



Configuring a User for SAML Access

For a SAML assertion to log in, there must be a user record in Veracode for that user. To create a user record for a SAML user:

Note: It is important to remember that when you set the login type in the Veracode Platform to SAML, you cannot revert back to the password login type.
  • Create a new user using the Administration page in the Veracode Platform, or the Admin API createuser.do call.
  • Configure the user to use SAML to log in by choosing SAML from the Login Type field, or by setting the is_saml_user flag in the Admin API.
  • Set the SAML Subject field (custom_id in the Admin API) to the value that is passed in the SAML assertion to identify the user (this is usually the user's email address or corporate login ID).

To modify an existing user for SAML access, both the Login Type checkbox must be set to SAML and the user's SAML Subject must be set.