SSO Setup
Purpose
Single Sign On (SSO) enables centralized identity and secure user access for SailPoint Entro tenants. This document covers SAML SSO setup, validation, and troubleshooting. Keep one master page and link to vendor deep-dives for complex IdPs.
Supported IdP Platforms
-
Auth0
-
Azure Entra ID
-
Classlink
-
CyberArk
-
Descope
-
Duo
-
Google Workspace
-
JumpCloud
-
Keycloak
-
LastPass
-
Microsoft ADFS
-
miniOrange
-
Okta
-
OneLogin
-
PingFederate / PingOne
-
Salesforce
Recommended Structure (Hybrid Approach)
-
Keep one master SSO page for overview, standard templates, validation, and troubleshooting.
-
Create separate per-IdP deep-dive pages only for IdPs that require step-by-step vendor-specific commands (e.g., Okta, Azure Entra, OneLogin).
-
Master page contains quick links to vendor pages and common troubleshooting.
Suggested filenames:
-
SSO_Setup.md(master) -
SSO_Okta.md(Okta deep-dive) -
SSO_Azure_Entra_ID.md(Azure Entra deep-dive) -
SSO_OneLogin.md(OneLogin deep-dive)
Quick Overview of Steps
-
Request SSO support from SailPoint Entro Support.
-
SailPoint Entro Support provides a unique setup link or SP metadata.
-
Configure your IdP using SailPoint Entro-provided metadata.
-
Share IdP metadata/certificate and all user domains with SailPoint Entro Support.
-
SailPoint Entro Support enables SSO for your tenant and confirms activation.
-
Test login and confirm user-domain mappings.
SSO is not active for the tenant until SailPoint Entro completes the step where they add IdP metadata/certificates and enable SSO.
SailPoint Entro Onboarding Form Fields (What Support Will Ask You)
-
Provider name (e.g., Okta)
-
IdP metadata URL or XML (or uploaded metadata file)
-
IdP x.509 certificate (PEM)
-
Entity ID (IdP)
-
Allowed user domains (e.g., corp.example.com)
-
Default relay/ACS URL (provided by SailPoint Entro Support)
-
Single Logout URL (optional)
-
Enforce SSO (yes/no)
SAML Configuration Template (IdP-side)
-
Entity ID (SP): provided by SailPoint Entro Support
-
ACS (Assertion Consumer Service) URL: provided by SailPoint Entro Support
-
Single Logout URL: optional
-
NameID format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress -
Required attributes:
-
email(primary, used for account mapping) -
givenNameorfirstName -
familyNameorlastName -
groups(optional, for group-based access)
-
-
Certificate: x.509 PEM for signing assertions
Tell the IdP team to send either the full metadata XML or the metadata URL.
ASCII Architecture
User Browser
|
v
IdP (Authn) <-----> Entro SSO Endpoint (ACS / Metadata)
| |
v v
Entro Platform (User mapping, session issuance, RBAC)
Validation & Testing
-
SailPoint Entro Support enables SSO for your tenant.
-
From a private/incognito browser, open your tenant SSO URL and choose the IdP option.
-
Observe IdP login flow and redirection to SailPoint Entro.
-
Confirm SailPoint Entro side checks:
-
SSO logs show assertion received and mapped email.
-
Status: Verifiedin onboarding checklist.
-
-
Use SAML tracer tools to inspect assertion and timestamps.
Common Errors and Resolutions
-
Certificate mismatch / invalid signature: Ensure IdP x.509 cert matches metadata.
-
Time skew / invalid NotBefore or NotOnOrAfter: Sync clocks via NTP. Tolerance 120s.
-
NameID or attribute mismatch: Confirm attribute names. Map
emailattribute to primary email. -
Domain not allowed: Share all user domains with SailPoint Entro Support and add to allow-list.
-
SAML response encrypted but SailPoint Entro not configured for encryption: Disable encryption or provide SP decryption info.
-
Logout not working: Confirm Single Logout endpoints and certificates.
Advanced Diagnostics
-
Capture SAML request/response with SAML tracer.
-
Check IdP audit logs for delivered assertions.
-
Verify SailPoint Entro SSO logs show
assertion_id,email, andstatus=success. -
If using groups, validate attribute format and mapping.
Security & Compliance Notes
-
Assertions must be signed.
-
Transport via TLS only.
-
Enforce SSO per-tenant only after verification.
-
Maintain least-privilege access for delegated service accounts.
Troubleshooting Commands/snippets
Metadata URL example:
Verify metadata contains x.509 cert and ACS endpoints.
Time skew check (example):
Or check NTP service status on the IdP host.
Roles and Group Mapping
-
Example mapping:
-
IdP group
ent-ops→ SailPoint Entro roleAdmin -
IdP group
ent-dev→ SailPoint Entro roleDeveloper
-
Send CSV or JSON mapping to SailPoint Entro Support for bulk mapping.
Support Contact
support@entro.security— include tenant name, IdP metadata, x.509 cert, failing assertion trace, test time and user email.