Use your own Identity Provider for YesWeHack authentication
ℹ️ You must be a Business Unit Owner or a Business Unit Manager to enable SSO on YesWeHack.
You can enable and configure Single Sign-On (SSO) for your users in order to:
Delegate the authentication on YesWeHack platform to your Identity Provider
Apply your own security and authentication policies (e.g. Multi-factor Authentication (MFA), re-authentication, etc.)
Centralize users’ management in your Identity Provider and align it with your IAM processes (e.g authorize or revoke access to the YesWeHack platform)
Simplify the onboarding process of your users on the YesWeHack platform
How does SSO work?
Let’s say, for example, that “[email protected]” has recently joined your team to help manage the 50+ reports submitted over the weekend to your *.mycompany.com program (ouch!).
Here’s how to give them access using SSO:
Authorize “[email protected]” on the YesWeHack application within your Identity Provider (IdP);
Invite “[email protected]” to your YesWeHack program with the appropriate role (e.g., Program Manager) via the YesWeHack platform.
From then on, whenever “[email protected]” needs to access the YesWeHack platform, they simply enter their email address and will be automatically redirected to your SSO login page.
If access is no longer required, you can remove their assignment from the YesWeHack app in your IdP. Optionally, you may also revoke their role within the YesWeHack platform afterward.
How can I set-up SSO for my Business Unit?
On the YesWeHack platform:
Go to the “Admin Panel”
Click on “SSO” in the left-side menu
This leads you to the configuration page.
ℹ️ You can also find our certificate on our metadata endpoint: https://api.yeswehack.com/sso/saml/metadata.xml if your IDP provider requires it.
Indicate your “Domain”
ℹ️ Note that multi-domains will be available in the near future!
Select an “Ownership verification method”, which today includes HTTP file, HTML meta-tag, and DNS record
Put the provided token into the corresponding location to enable YesWeHack to automatically check ownership, and to activate SSO for your domain
The “Domain” will appear as “Pending” until we automatically detect ownership. It will then be switched to “Validated”. Once validated, you may remove the tag, file, or record from your domain.
ℹ️ Once SSO is activated and properly configured for your domain, any user attempting to sign in to the YesWeHack platform with a @mycompany.com email address must first be authorized and authenticated through your Identity Provider (IdP).
On your Identity Provider (IdP) platform:
Create a new app
Add the SSO URL “https://api.yeswehack.com/sso/saml/validate”
Add the Audience URI (SP Entity ID) “https://api.yeswehack.com/sso/saml”
These URLs are always the same, no matter which IdP you are using.
Here’s an example of these settings on Okta:
Now you can go back to the YesWeHack platform:
Fill out the “Identity provider” section with the SSO URL and issuer ID with information from your newly created app:
Click on “Validate IDP Configuration”
Click on “Enable SSO” at the top-right corner of the page
A pop-up will ask you to confirm the activation of the SSO authentication method. It will also enable you to notify your users of this change.
How does it affect already registered users?
⚠️ Make sure to authorize these users on your IdP before enabling the SSO.
Go to your IDP
Authorize existing users to login to YesWeHack
Find the example of Okta assignments below
Note that:
Users can be authorized and revoked from accessing YesWeHack directly through your IdP;
Authentication policies defined at IdP level will prevail (e.g. MFA, re-authentication);
Users still need to be granted a role on the YesWeHack platform. Learn more about roles & responsibilities here;
It is possible to disable SSO anytime, in the configuration page.