Skip to content

SSO Generic Security Permissions

Minimum Security

  • Require signed assertions.

  • Use TLS for all IdP endpoints.

  • Keep PEM files and private keys confidential and access-restricted.

Attribute and Group Guidance

  • Use the email attribute for user mapping.

  • For groups, provide a clear claim format (CSV or array).

  • Provide a group → role mapping file to map IdP groups to application roles.

Certificate Rotation

  • Provide the new certificate to the SailPoint Entro staging endpoint.

  • Test the new certificate in staging before promoting to production.

Diagnostics

  • Capture SAML request and response traces using a SAML tracer.

  • Provide IdP audit logs and assertion samples to SailPoint Entro Support to assist in troubleshooting.

Recovery

  • Maintain a backup local admin account to allow access if SSO/IdP becomes unavailable.