SAML SSO

Go to Applications and select Add Application. Select SAML 2.0 and click on Create.

• Set the Single sign-on URL, Recipient URL, and Destination URL to https://<your-tracecat-instance>/auth/saml/acs.
• Set the Audience Restriction to https://<your-tracecat-instance>.

Map email to user.email

Set the following environment variables in your .env file:

• SAML_IDP_METADATA_URL: Okta metadata URL

Restart Tracecat to apply the changes.

Navigate to your Tracecat instance and click on the Login button. You should be redirected to Okta for authentication.

Go to Enterprise applications and select the New application button. Find and select the Microsoft Entra SAML toolkit app.

• Set the Reply URL and Sign on URL to https://<your-tracecat-instance>/auth/saml/acs.
• Set Identifier to https://<your-tracecat-instance>/api.
• Set Relay State to https://<your-tracecat-instance>.

Map email to user.mail

Go to Providers and select the Create button. Choose SAML Provider and select the Next button.

• Enter a name and choose an authorization flow
• Set the ACS URL to https://<your-tracecat-instance>/auth/saml/acs.
• Set the Audience to https://<your-tracecat-instance>/api.

• Expand the Advanced protocol settings section.
• Select a Signing Certificate and ensure Sign assertions is enabled.

• Select authentik default SAML Mapping: Name in Selected User Property Mappings.
• Click the < button to deselect it.
• Select the Finish button.

Go to Applications and select the Create button. Fill in the details as desired.

• Select the provider you created previously.
• Select the Metadata tab.
• Select the Copy download URL button.

Set the following environment variables in your .env file:

• SAML_IDP_METADATA_URL: Metadata download URL

Restart Tracecat to apply the changes.

Navigate to your Tracecat instance and click on the Login button. You should be redirected to Authentik for authentication.