1. Getting started
1.1. Step 1: Configuring SAML
- Login to the Thycotic Admin Portal
- Click the “Admin” link in the lower left corner of the page
- Navigate to
Configuration > SAML
1.1.1. General settings
- Under “SAML GENERAL SETTINGS,” click “Edit”
- Check the checkbox to enable SAML
- Click “Save”
1.1.2. Email Trusona
Send an email to support@trusona.com with the following information:
Subject: Thycotic Integration
- Required:
- Company name
- Email domain(s) associated with your Thycotic users. (e.g.
yourcompany.com
)
1.1.3. Sent by Trusona
Trusona will send you the following via email:
- Self-signed Certificate (SSC)
- Certificate passphrase
1.1.4. SAML Service Provider settings
- Enter a name for the certificate
- Click “Select Certificate”
- Click “Upload Certificate” and upload the certificate (SSC) received from Trusona.
- Enter the certificate’s (SSC) passphrase for “Password” then click “OK”
- Click “Save”
- Click “Download Service Provider Metadata (XML)” and save the file. This file is shared with Trusona as the “Service Provider Certificate (SPC)”
1.2. Step 2: Email Trusona
Send an email to support@trusona.com with the following information:
Subject: Thycotic Integration SPC
- Required:
- Service Provider Certificate (SPC) generated in Step 1
- Optional
- A vanity url you would like users to see when using Trusona to login to Thycotic (e.g.
https://thycotic.yourcompany.com
)
- A vanity url you would like users to see when using Trusona to login to Thycotic (e.g.
1.2.1. Sent by Trusona
Trusona will send you the following via email:
- IdP XML Metdata
1.3. Step 3: Identity provider setup
- Click “Create new Identity Provider”
- Choose the “Import IdP from XML Metadata” option
- Upload the IdP XML Metadata file sent to you by Trusona in step 2
- Click “Advanced Settings” for the imported metadata
- Un-check all fields except:
- “Sign Authn Request”
- “Require Signed Assertion” (or “Signed SAML Response”)
- Click “Ok”
1.4. Step 4: Enable Trusona as the Identity Provider
The following steps finalize the use of Trusona as a third party SAML Identity Provider.
- Click the pencil icon next to the trash can icon
- Deselect “Enabled” for “SINGLE LOGOUT”
- Click OK
1.5. Step 5: Testing the integration
- Open a new private browsing window
- Navigate to your Thycotic instance
- Login with Trusona
1.6. Vanity URL setup
Add a new CNAME DNS record for your domain.
- Set the “host” value to the URL you’d like users to see when logging in
- Set the “Answer” value to ssl.trusona.net
- Set the TTL to 300
Here’s an example of a CNAME answer when retrieved by dig tada.trusona.com
.
tada.trusona.com. 3600 IN CNAME ssl.trusona.net.