Configuring user groups and permissions for SSO in Burp Suite Enterprise Edition
Once you have successfully set up either an LDAP or SAML connection for single sign-on (SSO), you need to perform a few additional steps to create your user groups and configure their permissions within Burp Suite Enterprise Edition.
When using SSO, you manage user permissions on the group level, with the groups in Burp Suite Enterprise Edition representing the groups of users in your Active Directory or with your SAML identity provider.
- Log in to Burp Suite Enterprise Edition as an administrator.
- Go to "Team" > "Roles" and click "New role".
- Create roles that reflect the different sets of permissions your users need within Burp Suite Enterprise Edition. Alternatively, you can use the provided roles if they are suitable.
- Go to "Team" > "Groups" and click "New group".
Create a new group representing each of the groups of users in your Active Directory or SAML identity provider. The name of each group in Burp Suite Enterprise Edition must match exactly with the corresponding group name that it will receive from Active Directory or your SAML IdP.
Note: If you manage your users directly in Azure Active Directory, you will need to use the
Group IDinstead. For more information, see Additional configuration for Azure Active Directory.
- Assign roles to your groups as required. If you do not assign any roles, users will be able to log in but will not have access to any functionality within the application.
- Apply site restrictions for each group as necessary. This will limit which sites members of each group are allowed to access.
- Users will now be able to log in to Burp Suite Enterprise Edition using their existing credentials. For SAML SSO, they will need to click the link on the login page to authenticate themselves via your identity provider.
Note: You can also adopt a hybrid system for managing users. In addition to managing users with SSO, you can create individual users in Burp Suite Enterprise Edition as normal. For example, you might want to create administrator users independently of SSO in case there are ever issues with the connection to your IdP or Active Directory.