Skip to main content

Single Sign-on (SSO)

One-Click Least Privilege. Zero Disruption.



© 2025 Sonrai Security. All rights reserved.

Overview

Sonrai's authentication service supports the use of SSO via the Auth0.com platform. Organizations who wish to enable SSO and have their Sonrai users authenticate against their internal authentication services can reach out to the Support team at Sonrai for enablement.

Sonrai supports:

  • SAML
  • OpenID Connect
  • Active Directory/LDAP generic protocols

In addition, Sonrai supports specific authentication options with:

  • Google Workspace
  • Microsoft Azure AD
  • ADFS
  • Ping Federate

Reference: See Auth0's SSO documentation for more detailed information on supported authentication services.

SSO Requirements

Supported Authentication Platforms

SAML

By way of Auth0, Sonrai's authentication service supports a number of external SSO environments including generic SAML authentication for:

  • Okta
  • PingFed
  • Azure AD / ADFS
  • Google Workspace (G Suite)

Service Provider (SP) Initiated Logins Only

Sonrai currently only supports SP (service provider) authentication, so users must navigate to https://app.sonraisecurity.com/ to initiate a login and are then directed to their SSO platform for authentication.

info

Granular control of identities via SSO is limited to integrations through AWS Identity Center. IdP-initiated sessions, such as launching an application icon from Azure Apps & Okta, are not currently. supported

Authentication Only

Users who can authenticate into your SSO service must still be created as a user (with assigned permissions) in Sonrai, before they can login to Sonrai.

Valid Email Addresses in Authentication Service

A valid email address is required in the login session details via a field named “email”. (This is generally a standard field, but SSO configurations should ensure to include this field).

info

Users who are added/invited to Sonrai are invited by their corporate email address and this field should align with the address used in the invitation.

Enabling SSO

When enabling SSO for authentication, the following settings are provided by Sonrai to your SSO team to enable the service:

Setting NameValue/Description
SSO Connection NameThe convention for connection name is your Sonrai tenant name + Sonrai + SSO.
Example: ACMESonraiSSO
Entity IDurn:auth0:sonraisecurity:MyCorpSonraiSSO
Assertion Consumer Service Callback URLhttps://login.sonraisecurity.com/login/callback?connection=ACMESonraiSSO
SSO Signing CertificateOutgoing authentication requests are signed by this certificate.


In return, the following is required by Sonrai from your SSO team:

Setting NameValue/Description
Sign In URLThe login address of your SSO service
Signout URL(Optional)
X.509 CertificateFrom the SSO platform (often included in the metadata xml file export)
IdP DomainsThe email address domains that should redirect to your SSO platform, such as sonraisecurity.com or yourcompany.tld
Field/AssertionThe field email must be included and it must match the email address that was used to invite the user to Sonrai
info

Upon navigating to https://app.sonraisecurity.com to login via SSO for the first time, a number of users have voiced that after authenticating in SSO they are returned to the main login form. (This occasionally happens when your SSO and internal auth user are combined).

Generally speaking, waiting a minute and attempting to log in again fixes the issue.

Common SSO Configuration Questions

Q: Does the application support Service Provider (SP) initiated SSO, Identity Provider (IdP) initiated SSO, or both? A: Only SP initiated logins are supported.

Q: Does the application support automatic SAML metadata updates? A: No, SAML metadata updates are not supported.


Q: What is the application session time? A: Assuming this is an idle session timeout, that is set to 15 minutes for both locally and SSO authenticated users.

Q: Federation parameter: What is the Sign-on URL? A: Sign-on URL is https://app.sonraisecurity.com/


Q: Can non-email enabled addresses be used? A: No. Only valid addresses which can receive email are supported.

Q: What signing certificate is used for outgoing requests? A: Outgoing authentication requests are signed by this certificate.


Q: What algorithms are used in your outgoing SSO requests? A:

  • Sign Request Algorithm is RSA-SHA256
  • Sign Request Algorithm Digest is SHA256

Q: Is the Assertion Consumer Service (ACS) URL included in the sign-on request? A: No, the ACS URL is not included in the sign-on request. The EntityID is included, which is associated with the appropriate ACS URL in the IdP configuration.


Q: What is the URL for your SP login authentication platform? A: The base URL is https://login.sonraisecurity.com/login/callback
Tenant-specific ACS URLs will include the EntityID, like https://login.sonraisecurity.com/login/callback?connection=MyCorpSonraiSSL

Q: Is the Assertion Consumer Service (ACS) URL included in the sign-on request? A: No, the ACS URL is not included in the sign-on request. The EntityID is included, which is associated with the appropriate ACS URL in the IdP configuration.


Q: If we use SSO, is the Sonrai MFA still in effect? A: When SSO is enabled, the sonrai-internal MFA is disabled and all authentication is managed by the SSO service, including password strength requirements & MFA. Your users will only be prompted for MFA on through your SSO service.

Q: Does Sonrai provide SSO only enforcement, ie. can not bypass with local authentication A: SSO for Sonrai is mapped by email domain, like “example.com”. When SSO is configured, all users from that domain are forced to use SSO, and local authentication is no longer available. In the event of an SSO platform failure or outage, those users will not be able to login to Sonrai until the SSO configuration is disabled upon request from the customer.


Q: We are using Okta for our SSO IDP, but after adding the “email” attribute, we’re still not able to login? A: Okta supports using either Profile Editor or SAML Integration / Attribute Statements for the addition of attributes. You must use SAML Integration/Attribute Statements option for adding the email address field to your SAML configuration. Using “Profile Editor” does not properly encode the additional field.

Q: Will SAML requests be sent with a REDIRECT or POST binding? A: Both HTTP-Redirect & HTTP-POST request bindings are available, but the default is to use HTTP-POST

Last updated on