SSO Generic Security Permissions
Minimum Security
-
Require signed assertions.
-
Use TLS for all IdP endpoints.
-
Keep PEM files and private keys confidential and access-restricted.
Attribute and Group Guidance
-
Use the email attribute for user mapping.
-
For groups, provide a clear claim format (CSV or array).
-
Provide a group → role mapping file to map IdP groups to application roles.
Certificate Rotation
-
Provide the new certificate to the SailPoint Entro staging endpoint.
-
Test the new certificate in staging before promoting to production.
Diagnostics
-
Capture SAML request and response traces using a SAML tracer.
-
Provide IdP audit logs and assertion samples to SailPoint Entro Support to assist in troubleshooting.
Recovery
- Maintain a backup local admin account to allow access if SSO/IdP becomes unavailable.