Integrating Trusona and Thycotic Secret Server

This guide details the steps required to configure Trusona as a passwordless authentication solution for your Thycotic Secret Server.

1. Getting started

1.1. Step 1: Configuring SAML

  1. Login to the Thycotic Admin Portal
  2. Click the “Admin” link in the lower left corner of the page
  3. Navigate to Configuration > SAML

1.1.1. General settings

  1. Under “SAML GENERAL SETTINGS,” click “Edit”
  2. Check the checkbox to enable SAML
  3. Click “Save”

1.1.2. Email Trusona

Send an email to support@trusona.com with the following information:

Subject: Thycotic Integration

  • Required:
    • Company name
    • Email domain(s) associated with your Thycotic users. (e.g. yourcompany.com)

1.1.3. Sent by Trusona

Trusona will send you the following via email:

  • Self-signed Certificate (SSC)
  • Certificate passphrase

1.1.4. SAML Service Provider settings

  1. Enter a name for the certificate
  2. Click “Select Certificate”
  3. Click “Upload Certificate” and upload the certificate (SSC) received from Trusona.
  4. Enter the certificate’s (SSC) passphrase for “Password” then click “OK”
  5. Click “Save”
  6. Click “Download Service Provider Metadata (XML)” and save the file. This file is shared with Trusona as the “Service Provider Certificate (SPC)”

1.2. Step 2: Email Trusona

Send an email to support@trusona.com with the following information:

Subject: Thycotic Integration SPC

  • Required:
    • Service Provider Certificate (SPC) generated in Step 1
  • Optional
    • A vanity url you would like users to see when using Trusona to login to Thycotic (e.g. https://thycotic.yourcompany.com)

1.2.1. Sent by Trusona

Trusona will send you the following via email:

  • IdP XML Metdata

1.3. Step 3: Identity provider setup

  1. Click “Create new Identity Provider”
  2. Choose the “Import IdP from XML Metadata” option
  3. Upload the IdP XML Metadata file sent to you by Trusona in step 2
  4. Click “Advanced Settings” for the imported metadata
  5. Un-check all fields except:
    • “Sign Authn Request”
    • “Require Signed Assertion” (or “Signed SAML Response”)
  6. Click “Ok”

1.4. Step 4: Enable Trusona as the Identity Provider

The following steps finalize the use of Trusona as a third party SAML Identity Provider.

  1. Click the pencil icon next to the trash can icon
  2. Deselect “Enabled” for “SINGLE LOGOUT”
  3. Click OK

1.5. Step 5: Testing the integration

  1. Open a new private browsing window
  2. Navigate to your Thycotic instance
  3. Login with Trusona

1.6. Vanity URL setup

Add a new CNAME DNS record for your domain.

  1. Set the “host” value to the URL you’d like users to see when logging in
  2. Set the “Answer” value to ssl.trusona.net
  3. Set the TTL to 300

Here’s an example of a CNAME answer when retrieved by dig tada.trusona.com.

tada.trusona.com. 3600 IN CNAME ssl.trusona.net.

Integrations

Desktop
IAM and SSO
PAM
Productivity
RADIUS
VPN

Guides

Get started guides
Implementation guides
Users guides

SDKs

Mobile SDKs
Server SDKs
Web SDKs

APIs

Authentication Service
ID Proofing Service

TOTP

Business
E-commerce
Finance
Productivity
Social
Gaming
Other