Security Assertion Markup Language (SAML) is an XML-based standard for single sign-on (SSO) authentication that creates a simplified way to access applications that you have rights to use. Bugcrowd offers a SAML-based SSO integration with Okta to help you create an easy and centralized way to log in to Crowdcontrol.
The first thing you need to do is log in to your Okta account and add Bugcrowd to your apps portal. This simply allows you to configure the Okta settings for logging in to Crowdcontrol.
To add the Bugcrowd app, first click the "Admin" button on the to right of the screen.
Okta Home Screen
Hover over the "Applications" tab and click on "Applications" form the drop down menu.
Okta Applications Drop Down Menu
Click on the "Add Application" button.
Okta Add Application Screen
Then click on the "Create New App" button.
Okta Create New App Button
You will now begin the set-up process. First, add "Bugcrowd Inc" as the app name during the general settings step. Then, click "next".
General Setting Step
You will be taken to step 2 which is to configure SAML. To get the information you need for this screen you will need to log-in to your Bugcrowd account.
Enable SAML Step
Specific Role Required to Configure SSO
To configure SSO for your program, you must be an Organization Owner.
From Crowdcontrol, go to your Organization Settings.
Go to your Organization Settings
When the Organization Settings appear, select Authentication.
Select the Authentication tab
Then click the Single Sign-on (SSO) option.
Single Sign-On Button
When the SAML Settings appear, you will want to copy the "SAML Consumer URL" and then navigate back to your Okta account.
Navigate back to Okta at the screen you left off on.
In the "Single Sign on URL" field paste the "SAML Consumer URL" you copied from your Bugcrowd account.
In the "Audience URL" field past the "SAML Consumer URL" you copied from your Bugcrowd account. IMPORTANT: after you paste the code in the field you will need to delete everything after the organization code. In the example below the full URL code is bugcrowdsandbox.com/organizations/mregwrnqpy/sso/acs however, for this field it would be bugcrowdsandbox.com/organizations/mregwrnqpy.
For the "Name ID Format" field change the dropdown to "EmailAddress".
For the "Application Username" field change the dropdown to "Email".
Okta Enable SAML Step
Under the "Attribute Statements" section add "Role" to the Name field and add "user.Role" to the Value field. Then, click "next" at the bottom of the screen.
Attributes Statements Fields
To finish configuration click on the "I'm an Okta customer adding an internal app" and check the "This is an internal app that we have created".
Then, click "finish".
Final configuration step
Next, you will need to map Okta information over to Crowdcontrol. Click the "View Setup Instructions" button.
You will be taken to the screen below with all the information you will need to map over to Control. Copy the information in each of the 3 fields.
Okta mapping information for Crowdcontrol
Navigate back to the Single Sign-On screen in Crowdcontrol and scroll down the "SAML Settings" section.
In the "IdP Entity ID" field paste the Okata "Identity Provider Issuer" information.
In both the "IdP SSO Target URL" paste the Okta "Identity Provider Single Sign-On URL" information.
In the "IdP Certificate" field paste the Okta "X.509 Certificate" information.
Crowdcontrol SAML Settings Section
Save the Authentication Settings when finished.
Lastly, all domains must be verified by Bugcrowd - users will not be able to login until the email address domains are verified.
Navigate back to the Crowdcontrol platform 'organization settings' page - select 'domains'.
Select the domain tab
Enter the domain and then select 'add domain'
A verification code will be provided - add a TXT record at the domain's root with this code. DNS verification may take up to 24 hours to succeed.
Copy and past verification code as a TXT record
Consult your DNS provider for instructions on adding a TXT record
Contact firstname.lastname@example.org for any additional help verifying domains