HackerOne supports SSO through Security Assertion Markup Language 2.0 (SAML 2.0). We currently support Google, Okta, OneLogin, Bitium, Centrify, MS ADFS, Azure Active Directory and Ping Identity. If you have another SAML provider contact us for more information.
To get started configuring Single Sign-On, visit team Settings > Authentication. In the SAML section you can click on the 'Add SAML settings' button to add your provider information. Please note your team must be launched (not in sandbox mode) to set up SAML.
Adding your SAML settings
You need to configure the following settings to begin testing your SAML configuration:
Email Domain - This is the email domain for users which will be required to use SAML authentication.
Single Sign On URL - The URL from your SAML provider to initiate a Single Sign On attempt, sometimes called the Login URL.
X.509 Certificate - The certificate from your SAML provider to verify the single sign on response.
Once your settings are entered you now have access to a test button. Clicking 'Run test' will launch a new window that will allow a test login. After your login attempt, the test will succeed or fail and provide warning messages about your test attempt. If the test is successful, you may request approval of your settings.
HackerOne will review and verify your SAML settings within 1 business day. You will receive a notification once this is complete.
Ready for Migration
When HackerOne approves your request, you are ready to migrate your users. Simply, click the 'Migrate Users' button when you are ready and SAML will be fully enabled for your users.
Frequently Asked Questions
What is your metadata endpoint?
https://hackerone.com/users/saml/metadata (browser friendly link)
Do you support Just In Time (JIT) provisioning?
Yes, a new account will be created, but that account will not have access to the any teams by default (a team admin will need to invite the user). If you would like users to auto join your team, contact us for more information.
What happens to my existing 2FA and password?
Your 2FA and password settings will be deleted and you will only be able to login with SSO when you are migrated. The SSO provider is expected to handle 2FA.
Do you support SAML and password login?
No, once a user is SAML enabled, they will not be able to login with their password.
Is SAML configurable on a per user basis?
No, all users belonging to a SAML enabled domain will be required to use SAML authentication.
Do you support custom session times?
Yes, HackerOne will respect the SessionNotOnOrAfter attribute if provided during authentication. This will allow you to customize the length of the session up to an upper bound of 2 weeks. Additionally, if you do provide this value, it will be the source of truth and remember me will ignored.
Do you support Single Logout?
No we do not support single logout at this time.
What happens to users on my team that do not belong to our claimed domain?
Turning on SSO will only affect users of the claimed domain. Any users that are using e-mail addresses on other domains will not be affected.
What is your Entity ID?
Our entity id is 'hackerone.com'
What is your ACS URL?
Additional details on Service Provider and Attribute mapping: