Setting up Passly SSO with SentinelOne
Configure the Single Sign On application.
This guide is provided as reference only, for any assistance with any SentinelOne settings please contact SentinelOne support directly via https://www.sentinelone.com/global-services/get-support-now/
Passly setup
-
- Log into Passly https://(companyname).my.passly.com
- Select Directory Manager.
- Select Groups.
- Select the Blue plus sign in the bottom right corner.
- Name the Group SentinelOne Users.
Note: If you have other existing Groups for SSO users you can use one of these as well. - Select Add Group.
- Select SSO Manager.
- Select the Blue plus sign in the bottom right corner.
- Select Custom Application.
- Name the Application SentinelOne.
- Upload your desired Logo.
- Select "Application is Enabled".
- Choose your preferred Authentication Policy.
- Select Protocol Setup.
- Select Protocol SAML SP-Init
- Enter Assertion Consumer Service URL
Gather this from Step 7 in the SentinelOne setup. - Enter the Audience URI
This is the same as the Assertion Consumer Service URL. - Enter the SP Entity ID into “Service Entity ID” field.
Gather this from Step 8 in the SentinelOne setup. - Set the Token Lifetime.
(Default is 60 minutes) - Select Advanced Settings.
- Select Advanced Setting Menu. Enable the following.
Select Sign Token Response & Include All Audience URIs. - Select Sign assertions & choose SHA-256.
- Select Attribute Transformation.
- Select Specify custom attribute transform.
Attribute Value: {User.EmailAddress}
Send As: EmailAttribute Value: {User.DisplayName}
Send As: Full Name - Select Add Application.
- Select Permissions. Select the group you created in Step 4.
- Select Signing and Encryption.
- Select Copy, this will display the certificate value.
- Paste the copied values into Notepad. Save the file as SentinelOne.txt.
Note: You will need this file to import into SentinelOne. - Select Save Changes.
- Select “Launchpad”.
- You should see the new SentinelOne icon.
Right click on it and select “Copy Link Address”
Note: You will need this address in SentinelOne.
Users will be able to access the application from the SSO Launchpad.
SentinelOne Setup
- In an In-Private Browser tab open SentinelOne as an administrator. In SentinelOne
- Click on “Settings”
- Click on “Integrations”
- Click on “SSO”
- On the SSO configuration screen we’ll need various values from Passly, we’ll also need some of the values here for Passly’s own configuration. We cannot save the SentinelOne configuration until after it has been tested and verified though. So expect to go back and forth just a little bit.
- Use the following settings:
- Domain Name: Your email address domain (jdoe@mycompany.com would enter mycompany.com)
- IDP Redirect URL: We’ll get this from Passly in a bit.
- Issuer ID: https://mycompany.my.passly.com/trust where mycompany is your Passly subdomain.
- Default Role: Set to whatever roll you’d like your new users configured as on first login if you check “Auto Provisioning”
- Auto Provisioning: Optional, and will cconfigure new users for you when they click in using SSO. An Administrator in SentinelOne can then change their role off the default after their first login. So use the lowest setting you think applicable first.
- IDP public certificate: Again we will get this from Passly in a bit. It is not the file you’re expecting.
- Assertion Consumer Service URL: Copy this as we need it shortly
- SP Entity ID: Copy this as we need it shortly
We now need to be able to access the application ourselves. - In the field “IDP Redirect URL” past the address we just copied from Passly’s SSO link.
- This should look something like: https://mycompany.my.passly.com/trust/launch?ApplicationId=12345678-1234-1234-1234-12345678901
- For “IDP public certificate” upload the text file we saved earlier with the certificate data.
- Click “Test”.
If you’ve done everything correctly the test will succeed and you can now save the configuration.
Note: It is also possible to assign users a role besides the default one, however you’d need to create a field in Passly and configure this for users as part of provisioning them.