Integrating Trusona and Thycotic Secret Server

This guide details the steps required to configure Trusona as a passwordless authentication solution for your Thycotic Secret Server.

What’s in this doc

Getting started

Step 1: Configuring SAML

  1. Login to the Thycotic Admin Portal
  2. Click the “Admin” link in the lower left corner of the page
  3. Navigate to Configuration > SAML

General settings

  1. Under “SAML GENERAL SETTINGS,” click “Edit”
  2. Check the checkbox to enable SAML
  3. Click “Save”

Email Trusona

Send an email to support@trusona.com with the following information:

Subject: Thycotic Integration

  • Required:
    • Company name
    • Email domain(s) associated with your Thycotic users. (e.g. yourcompany.com)

Sent by Trusona

Trusona will send you the following via email:

  • Self-signed Certificate (SSC)
  • Certificate passphrase

SAML Service Provider settings

  1. Enter a name for the certificate
  2. Click “Select Certificate”
  3. Click “Upload Certificate” and upload the certificate (SSC) received from Trusona.
  4. Enter the certificate’s (SSC) passphrase for “Password” then click “OK”
  5. Click “Save”
  6. Click “Download Service Provider Metadata (XML)” and save the file. This file is shared with Trusona as the “Service Provider Certificate (SPC)”

Step 2: Email Trusona

Send an email to support@trusona.com with the following information:

Subject: Thycotic Integration SPC

  • Required:
    • Service Provider Certificate (SPC) generated in Step 1
  • Optional
    • A vanity url you would like users to see when using Trusona to login to Thycotic (e.g. https://thycotic.yourcompany.com)

Sent by Trusona

Trusona will send you the following via email:

  • IdP XML Metdata

Step 3: Identity provider setup

  1. Click “Create new Identity Provider”
  2. Choose the “Import IdP from XML Metadata” option
  3. Upload the IdP XML Metadata file sent to you by Trusona in step 2
  4. Click “Advanced Settings” for the imported metadata
  5. Un-check all fields except:
    • “Sign Authn Request”
    • “Require Signed Assertion” (or “Signed SAML Response”)
  6. Click “Ok”

Step 4: Enable Trusona as the Identity Provider

The following steps finalize the use of Trusona as a third party SAML Identity Provider.

  1. Click the pencil icon next to the trash can icon
  2. Deselect “Enabled” for “SINGLE LOGOUT”
  3. Click OK

Step 5: Testing the integration

  1. Open a new private browsing window
  2. Navigate to your Thycotic instance
  3. Login with Trusona

Vanity URL setup

Add a new CNAME DNS record for your domain.

  1. Set the “host” value to the URL you’d like users to see when logging in
  2. Set the “Answer” value to ssl.trusona.net
  3. Set the TTL to 300

Here’s an example of a CNAME answer when retrieved by dig tada.trusona.com.

tada.trusona.com. 3600 IN CNAME ssl.trusona.net.