Single Sign-On Overview

SourceClear Software Composition Analysis

Enterprise users can integrate their single sign-on solution with SourceClear using SAML. Email to enable single sign-on. In your email, include the user name and team of the account you want to provision along with the relevant SAML attributes.

Benefits of Single Sign-On

  • Revoke user access: When an employee leaves the company, administrators can revoke access to SourceClear in their identity provider (IdP), making the user unable able to login. The user’s account and associated data remain in SourceClear until the user is deleted by an owner of the SourceClear account.

  • On-demand user creation: Anyone at your company can obtain a SourceClear account simply by logging in. This feature is especially valuable when sharing scan results with a colleague who wants to investigate an issue immediately.

Configuring SAML

Setup instructions are available for:

SAML Attributes for use with any IdP

You can also configure single sign-on with other systems that support the SAML standard. Send the SAML metadata generated by your IdP to as an attachment. If the IdP does not generate a SAML Metadata file automatically, provide SourceClear with the Single Sign-On URL that your users should be directed to when they want to sign on, the IdP issuer, and the X.509 certificate that SourceClear can use to validate requests for authentication by you. You need the following attributes to configure your IdP:

Attribute Value
Single Sign-On URL
Audience URI (SP Entity ID)
Name ID format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Application username email address
Service Privider (SP) logo Our icon

SAML Optional Attributes

Name Format Value Required
firstName Basic User’s first name no
lastName Basic User’s last name no
  • When you create users in SourceClear, they are added to the organization which you specify. They do not belong to any workspaces on initial creation.
  • Administrators of the organization can delete users and configure the organization. Veracode recommends that you have more than one user with administrative privileges.
  • Users can login by going to your organization’s URL with /saml added to the end (i.e. or by finding our application in the list of available applications provided by your single sign-on solution.
  • Users are automatically logged out after 30 minutes of inactivity. However, if the user attempts a login, the authentication policies enforced by your IdP determine when the user needs to re-authenticate before returning to the SourceClear application.