Skip to main content

Single-sign on (SSO)

You can set up SAML to enable users in your organization to access Veracode products and services with single sign-on (SSO).

note

This section describes new Just-In-Time (JIT) single sign-on (SSO) capabilities introduced in 2022. If your organization configured SSO and Just-In-Time provisioning before June 2022, you can migrate to the new capabilities.

The Veracode Platform supports SSO using the SAML 2.0 standard. To enable SAML on the Veracode Platform for your organization, you must request it in an email to Veracode Technical Support at support@veracode.com. After enabling SSO with SAML for your organization, users with the Administrator role can configure their organization account and user accounts for SSO. Veracode provides the required information for configuring the organization identity provider to work with Veracode.

After you enable SAML single sign-on, you can take advantage of other capabilities, such as JIT user provisioning.

note

To prevent being completely locked out of Veracode if your SAML environment becomes inaccessible, Veracode recommends that your organization creates at least one user with the Administrator role that logs in with a username and password.

What is SAML?

SAML (Security Assertion Markup Language) is an open standard for performing single sign-on across security domains, for example, from an organization to a cloud service such as Veracode. SSO with SAML usually works as follows:

  1. You click a link to Veracode on your corporate intranet site.
  2. Browser forwards a SAML assertion to Veracode. The assertion is a digitally-signed XML document that attests to your identity.
  3. Veracode checks the validity of the assertion by verifying the digital signature and the expiration date, then compares the information in the assertion to the list of users in the organization account.
  4. If the assertion is valid and you match a known Veracode user, you continue to the Veracode Platform.

Veracode has implemented the portions of the SAML standard that manage authentication. Veracode must still provision your account before you can use the service. The best way to automate provisioning for large numbers of users is to leverage the Admin API.

For more information about SAML, see these websites:

Configuring your organization identity provider for SAML

While identity provider technologies vary, most require some information about the Veracode Platform to know how to properly construct and forward the SAML assertion. This information should be configured in your identity provider (IdP):

Relaystate URL

https://web.analysiscenter.veracode.com/login/#/saml

Audience URL

Provided on the SAML tab of the Administration screen on the Veracode Platform

Target URL

Provided on the SAML tab of the Administration screen on the Veracode Platform

SAML version supported

2.0

SAML binding supported

HTTP Post

SAML profile supported

IdP-initiated SSO

Associating Veracode SAML attributes with Okta fields

When configuring Okta SSO, you must associate the Veracode SAML attributes with Okta fields. The following table lists attributes from the SAML Certificate section of your Veracode account and the associated Okta fields.

Veracode SAML fieldOkta field
SAML Assertion URLSingle Sign On URL
SAML Audience URLAudience Restriction
Relaystate URLDefault Relay State

Associating Veracode SAML attributes with Azure Active Directory fields

When configuring Azure Active Directory (AD) SSO, you must associate the Veracode SAML attributes with Azure AD fields. The following table lists attributes from the SAML Certificate section of your Veracode account and the associated Azure AD fields.

Veracode SAML fieldAzure AD field
SAML Assertion URLReply URL
SAML Audience URLIdentifier
Relaystate URLRelay State

Configuring your organization account for SAML

Contact Veracode Technical Support to enable your organization account to use SAML for single sign-on. After enabling SAML for your organization, users with the Administrator role for your organization see a SAML tab on the Administration page.

note

When you change your SAML settings, make sure you delete the existing certificate and upload a new one before saving your changes.

The SAML tab contains four parameters, two of which are required:

Issuer (required)

Unique identifier of the identity provider that is passed in the assertion in the Issuer element of the assertion. The issuer in the assertion must match the value in the Veracode Platform to be valid for your organization.

note

The issuer automatically populates when your organization is activated for SAML. You cannot edit it after it is set.

IdP Server URL (optional)

URL of the identity provider server for your organization. The Veracode Platform attempts to redirect a SAML user to this URL upon timeout, if the URL is provided.

Custom Error Page URL (optional)

Enter a URL here to redirect your users to a custom error page in the event of an authentication error.

Assertion Signing Certificate (required)

Browse to and upload the certificate with which assertions are signed. You see the expiration date for the certificate after you upload it. Users cannot sign in after the certificate expires.

note

When you change your SAML settings, make sure you delete the existing certificate and upload a new one before saving your changes.

Click Save.

Configure a user for SAML access

Using SAML authentication requires that a user account has a user record in the Veracode Platform.

If you set a SAML assertion for a user who has the Team Admin role, you must also set the teamsmanaged attribute.

note

When you set the login type in the Veracode Platform to SAML, you cannot change it back to the password login type.

To complete this task:

  1. Create a new user or update an existing user using the Administration page in the Veracode Platform, or the Identity API.
  2. Select SAML in the Login Type field, or set the saml_user property to true for the Identity API.
  3. Set the SAML Subject field (saml_subject in the Identity API) to the value that the SAML assertion passed in to identify the user. This value is usually the user email address or corporate login ID.
  4. When creating a new user, you can also set the user roles and allowed scan types.

For example, configure SAML add SSO for accessing Software Composition Analysis (SCA) in the Veracode Platform.

SSO for Microsoft Azure Active Directory

To integrate SSO access to Veracode for Azure AD user accounts, see this tutorial.