The 6sense platform supports basic username and password authentication. It also supports SAML SSO (Security Assertion Markup Language single sign-on) authentication.
This article describes how to set up SAML SSO on the 6sense platform.
No Reversion to Basic Authentication
Activating the SAML integration on the 6sense platform forces all users for your organization to use SAML SSO. Users cannot use password-based logins after SAML SSO is enabled.
After you enable SAML SSO authentication, reverting to basic authentication is not supported. However, you can reconfigure the 6sense platform if you want to move to a different supported SSO provider. See Change SAML SSO to a New IdP on this page. If you run into any issues, please contact your Customer Success Manager for assistance.
Overview
Once your organization enables SAML SSO authentication for 6sense, you can create, enable, and disable users for the 6sense platform in your identity provider (IdP). You can enable secure single sign-on to make it easier to manage multiple logins and improve security. For details about user management and SAML SSO, see User Management (RBAC) – SAML SSO Authentication.
Pre-integrated IdP providers include:
Delinea (formerly Centrify)
If your IdP is not pre-integrated, the 6sense platform supports manually configured integrations with other IdPs such as Azure and Fortinet. See Prepare for Custom SAML Integration below.
Requirements
You must be a Primary Administrator or Administrator.
You need the appropriate permissions on your IdP platform.
You need to know your 6sense platform subdomain name, https://subdomain.ABM.6sense.com/.
If you want to use System for Cross-Domain Identity Management (SCIM), you need an SCIM token from 6sense. To request a SCIM token, submit a support ticket.
Important Considerations
Review the following information before you start the integration.
Security and JIT Provisioning
Because the integration uses just-in-time (JIT) provisioning, access to the SAML application should only be granted to the appropriate personnel.
By default, 6sense does not sync all users that have access to the platform. The integration uses JIT provisioning upon user login. 6sense creates a user when they initially log in to the 6sense platform.
Custom Integration Considerations
If your IdP is not pre-integrated, see Considerations for a Custom Integration below.
SCIM (Optional)
Optionally, you can enable SCIM to help automate user provisioning and deprovisioning. To allow dynamic changes (such as a user’s first name, last name, and other attributes) between 6sense user management and your identity provider’s (IdP) user management, enable SCIM in your IdP 6sense SAML SSO setup.
After SCIM is enabled, disabling a user in your organization’s IDP disables that user in 6sense User Management.
Important considerations:
If your organization is transitioning from Basic to SSO authentication, ensure that all users who currently have access to 6sense platform are added to your Identity Provider (IdP)
SCIM does not work in a 6sense SAML SSO setup in combination with Okta or OneLogin.
6sense does not currently support Groups; only user-based SCIM.
To request an SCIM token, submit a support ticket.
For more information about user roles and SAML SSO, see User Management – SAML SSO Authentication.
Set Up SAML SSO
Follow these steps to set up SAML SSO in 6sense, according to your IdP:
If you use one of the pre-integrated IdPs, go ahead with the steps below.
If you have a custom integration, use the information in the Custom SAML Integration section below to prepare, then follow the steps below.
Add the 6sense application to your IdP’s instance.
During the setup process, you input your 6sense platform subdomain. For example, if your organization’s login URL is
https://mycompany.abm.6sense.com/, the subdomain is mycompany.If you accidentally use the full URL as the subdomain, you see the following error when you attempt to validate the metadata URL: The requested resource was not found on this server.
Copy the metadata URL, or all the contents of the raw metadata, from the application settings within your IdP’s instance.
In 6sense, go to Settings > Security Settings > Authentication to open the Authentication page.
Select the SAML SSO Configuration tab.
Enter the details that you copied from your IdP. You can either input the URL or upload text.
Input URL: To input the URL, paste the metadata URL.
Important: 6sense strongly recommends that you use the Input URL method in case the x509 certificate expires or is rolled over.
Upload Text: To upload the metadata as text, input the raw metadata information as a text string.
Click Validate to validate the information.
The validation must succeed before you can save the information and enable SSO.
Click Save to save the SAML settings and enable SSO for your organization.
A message confirms that SAML SSO is enabled.
After you enable SAML SSO, you see a green Enabled tag in the Authentication > Settings submenu and in the the Authentication > SAML SSO Configuration tab.
Prepare For a Custom SAML Integration
For a SAML integration that is not pre-integrated (see Overview above), you need the relevant settings information as listed in this section. Review this information prior to following the Set Up SAML SSO steps above.
When setting the values below, replace mycompany with your 6sense organization name. For example, if your 6sense platform organization URL is https://mycompany.abm.6sense.com/, then use mycompany in the custom settings.
Considerations for a Custom Integration
The Assertion Consumer Service (ACS)/SSO URL only supports POST requests.
6sense requires that the SAML assertion be signed. The SAML assertion is the user data that is issued by the customer’s IdP. The SAML assertion sent by the IdP should have a digital signature that can be verified, to ensure that the data is sent by a trusted IdP.
Make sure that the entityID in the metadata matches the SAML Response issuer.
If using Google SSO, be sure to uncheck the option Signed Response, as this can cause a Failed! Signature Error.
IdP Settings Information
When entering IdP settings, use an exact match to the formatting shown below, including ending slashes. Deviating from exact character formatting causes validation or authentication failures.
IdP Setting Name | Value |
|---|---|
ACS/SSO/Reply URL |
|
Default Relay State |
|
SP Entity ID/Identifier |
|
User Attributes Information
Name | Name Format |
|---|---|
NameID | email address, for example, [email protected] |
FirstName | Unspecified |
LastName | Unspecified |
Unspecified |
Change SAML SSO to a New IdP
You can reconfigure SAML SSO if your organization moves to a different SSO provider. To reconfigure, repeat the steps in the Set Up SAML SSO section. For a custom integration, provide the settings information to the new IdP.
FAQ
Q: I received a notification that the SSO settings are approaching expiration. What do I do?
A: Go to Settings > Security Settings > Authentication and update the input URL or upload text with the latest settings to ensure that your users continue to have access to the 6sense platform.
Q: I have set up SSO. How do I add an agency user outside of my organization?
A: The agency user would need an account in your organization’s identity provider when SSO is in use. The username can be their agency email as long as their identity provider authorizes that agency user’s access to the platform.
Q: I have set up my Google Workspace SSO using the steps above, and I am receiving a status 500 error. How do I fix that?
A: In IdP settings, uncheck the signed response box shown below and save. This should clear the error. If you still get an error, please submit a support ticket using our support page.
Q: I’m using the IDP Jump Cloud and cannot validate the XML. Why?
A: Make sure the option redirect endpoints is enabled.
Q: I’m using Microsoft Entra single sign-on (Azure) and when validating IDP metadata in 6sense, I get the error “Failed to verify signature”
A: Make sure the signed response setting for SAML Signing Certificate > Signing Option is set to Sign SAML response and assertion.