Skip to main content

Supported Identity Providers

Configuration

In your .env file, make sure you have the following values set. 
TRACECAT__AUTH_TYPES=saml
SAML_IDP_METADATA_URL=https://<your-idp-metadata-url>

Instructions

Tracecat requires BOTH assertions and responses to be signed.
If you are using a self-signed certificate for your metadata URL, you’ll need to add the CA certificates .pem file as a base64-encoded string via the SAML_CA_CERTS environment variable.

Okta

1

Create an SAML app

Go to Applications and select Add Application. Select SAML 2.0 and click on Create.
2

Configure SAML settings

  • Set the Single sign-on URL, Recipient URL, and Destination URL to https://<your-tracecat-instance>/auth/saml/acs.
  • Set the Audience Restriction to https://<your-tracecat-instance>. Okta SAML
3

Configure attribute statements

Map email to user.emailOkta attribute statements
4

Configure SAML settings in environment variables

Set the following environment variables in your .env file:
  • SAML_IDP_METADATA_URL: Okta metadata URL
5

Restart Tracecat instance

Restart Tracecat to apply the changes.
6

Test SSO configuration

Navigate to your Tracecat instance and click on the Login button. You should be redirected to Okta for authentication.

Microsoft Entra ID

Microsoft Entra ID only signs SAML assetions by default. You’ll need to explicitly enable the Sign SAML response and assertion option.
1

Create an SAML app

Go to Enterprise applications and select the New application button. Find and select the Microsoft Entra SAML toolkit app.
2

Configure SAML settings

  • Set the Reply URL and Sign on URL to https://<your-tracecat-instance>/auth/saml/acs.
  • Set Identifier to https://<your-tracecat-instance>/api.
  • Set Relay State to https://<your-tracecat-instance>.
  • Make sure that Sign SAML response and assertion is enabled. Microsoft Entra SAML
3

Configure attribute and claims

Map email to user.mail

Authentik

1

Create a provider

Go to Providers and select the Create button. Choose SAML Provider and select the Next button.
2

Configure the provider

  • Enter a name and choose an authorization flow
  • Set the ACS URL to https://<your-tracecat-instance>/auth/saml/acs.
  • Set the Audience to https://<your-tracecat-instance>/api. Authentik Provider
3

Configure assertion signing

  • Expand the Advanced protocol settings section.
  • Select a Signing Certificate and ensure Sign assertions is enabled. Authentik Provider
4

Configure property mapping

  • Select authentik default SAML Mapping: Name in Selected User Property Mappings.
  • Click the < button to deselect it.
  • Select the Finish button. Authentik Provider
5

Create an Application

Go to Applications and select the Create button. Fill in the details as desired.
6

Find metadata URL

  • Select the provider you created previously.
  • Select the Metadata tab.
  • Select the Copy download URL button.
7

Configure SAML settings in environment variables

Set the following environment variables in your .env file:
  • SAML_IDP_METADATA_URL: Metadata download URL
8

Restart Tracecat instance

Restart Tracecat to apply the changes.
9

Test SSO configuration

Navigate to your Tracecat instance and click on the Login button. You should be redirected to Authentik for authentication.

Keycloak

1

Create a client

  • Go to Clients and select the Create client button.
  • Set the Client type to SAML.
  • Set the Client ID to https://<your-tracecat-instance>/api and select the Next button. Keycloak Client General Settings
2

Configure a client

  • Set the Valid redirect URIs to https://<your-tracecat-instance>/auth/saml/acs.
  • Set the Master SAML Processing URL to https://<your-tracecat-instance>/auth/saml/acs and select the Save button. Keycloak Client Login Settings
3

Configure document signing

  • In Settings tab scroll down to Signature and Encryption section.
  • Ensure Sign documents is enabled. Keycloak Document Signing
4

Disable client signing

  • Open Keys tab and look into Signing keys config section.
  • Ensure Client signature required is disabled. Keycloak Client Signing
5

Configure property mapping

  • Open Client scopes tab and click on client scope https://<your-tracecat-instance>/api-dedicated.
  • Create new User Property mapper for email attribute and click Save. Keycloak Property Mapping
6

Find metadata URL

  • Go to Realm SettingsGeneralEndpoints.
  • Copy the SAML 2.0 Identity Provider Metadata link. Keycloak Property Mapping
7

Configure SAML settings in environment variables

Set the following environment variables in your .env file:
  • SAML_IDP_METADATA_URL: Metadata download URL
8

Restart Tracecat instance

Restart Tracecat to apply the changes.
9

Test SSO configuration

Navigate to your Tracecat instance and click on the Login button. You should be redirected to Keycloak for authentication.

Environment variables

If you know what you’re doing, you can configure the SAML configuration via environment variables in the Tracecat api service:

Protocol Configuration

  • SAML_ALLOW_UNSOLICITED: Whether to allow unsolicited SAML responses (default: true)
  • SAML_ACCEPTED_TIME_DIFF: Time difference in seconds for SAML authentication (default: 3)
  • SAML_AUTHN_REQUESTS_SIGNED: Whether to require signed SAML authentication requests (default: false)
  • SAML_SIGNED_ASSERTIONS: Whether to require signed SAML assertions (default: true)
  • SAML_SIGNED_RESPONSES: Whether to require signed SAML responses (default: true)

SSL Transport Configuration

  • SAML_VERIFY_SSL_ENTITY: Whether to verify SSL certificates for general SAML entity operations (default: true)
  • SAML_VERIFY_SSL_METADATA: Whether to verify SSL certificates when fetching metadata (default: true)
  • SAML_CA_CERTS: Base64 encoded CA certificates for SSL/TLS transport layer validation

SAML Protocol Configuration

  • SAML_METADATA_CERT: Base64 encoded certificate for SAML metadata document signature verification