Configuring SAML single sign-on for Burp Suite Enterprise Edition
Last updated: May 17, 2022
Read time: 5 Minutes
Burp Suite Enterprise Edition allows you to manage user authentication centrally via SAML-based single sign-on (SSO). Once configured, users will be able to log in using their existing credentials, removing the need to create and manage dedicated user accounts in Burp Suite Enterprise Edition.
To configure SAML SSO, you need to establish a trusted connection between the service provider (Burp Suite Enterprise Edition) and your SAML identity provider. Integration with the following providers has been fully tested:
- Active Directory Federation Services (ADFS)
- Azure Active Directory
Configuring this connection requires you to perform steps both within the Burp Suite Enterprise Edition web UI and in the administration settings for your identity provider. For exact details of how to perform some of these steps, you may need to consult your identity provider's documentation.
You can also integrate SCIM in combination with SAML. This means you're able to create, update, and delete users and groups via SCIM, leaving SAML exclusively for handling authentication. This also provides greater transparency because it enables you to view key details about your users and groups from directly within Burp Suite Enterprise Edition.
Add Burp Suite Enterprise Edition to your trusted applications
The first step is to add Burp Suite Enterprise Edition to your identity provider's list of trusted applications. Please note that this process has various names depending on your identity provider. If you are using Okta or Azure Active Directory, this is known simply as "adding an application". ADFS. however, refers to "adding a relying party trust".
Some identity providers, including Azure AD, will only let you add Burp Suite Enterprise Edition as a trusted application if you have enabled HTTPS on your web server.
For standard deployments of Burp Suite Enterprise Edition, you can do this from the "Network" settings page by selecting the "Enable TLS" option.
For Kubernetes deployments, you need to add an HTTPS listener to the load balancer that Kubernetes controls.
- Log in to Burp Suite Enterprise Edition as an administrator.
- From the settings menu, select "Integrations".
- On the "SAML" tile, click the "Configure" button.
- In the "Relying trust information" section, notice that you can copy both the "Relying party trust identifier" and the "Relying party service URL" for Burp Suite Enterprise Edition. Go to the administration settings for your identity provider and use these values to add a new application (or relying party trust) for Burp Suite Enterprise Edition. Please consult your identity provider's documentation for details on how to do this.
Obtain key details from your identity provider
As you will need to enter some details about your identity provider, we recommend gathering this information before you start the configuration in Burp Suite Enterprise Edition. Exactly where you can find this information will depend on your identity provider, but it should be easily available.
Unfortunately, the terminology used by different identity providers can vary dramatically. Where possible, we have provided some commonly used alternative names for the required information.
You will need the obtain the following:
The identity provider Entity ID. This is the globally unique name for your identity provider that will be sent as the
Issuervalue in SAML responses. This is usually a URL. Alternative names include "Federation service identifier" and "Identity provider issuer".
- The identity provider SSO URL. This is the URL to which Burp Suite Enterprise Edition will send users when they choose to log in using SAML.
The identity provider's token-signing certificate. Burp Suite Enterprise Edition uses this to verify that the SAML response was genuinely issued by the identity provider. This is known by many different names, including several variations of the following:
- Identity provider (public) certificate
- SAML certificate
- Identity provider public key
Enter your identity provider details
Once you have gathered the required details about your identity provider, the next step is to enter this information in Burp Suite Enterprise Edition.
- In Burp Suite Enterprise Edition, navigate to the "SAML" integration settings.
- In the "Company details" section, enter the name of your organization. This will be displayed in the SSO link on the Burp Suite Enterprise Edition login page.
- Under "SAML configuration", select the identity provider to which you want to connect.
- Use the corresponding fields to enter the identity provider information that you obtained earlier.
Additional identity provider configuration
To complete the configuration, you need to perform some additional steps that are specific to your identity provider.
- Additional configuration for ADFS
- Additional configuration for Okta
- Additional configuration for Azure Active Directory
If you are using an identity provider other than the ones mentioned, you will need to configure how the security groups are sent to Burp Suite Enterprise Edition. The details of this will vary between providers, but here is an example of a group attribute statement, where the group name is "Scan viewers":
<AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/claims/Group"><AttributeValue>Scan viewers</AttributeValue></Attribute></AttributeStatement>
Configuring single logout
Burp Suite Enterprise Edition also provides optional support for single logout (SLO). When enabled, logging out of Burp Suite Enterprise Edition will automatically log users out of the identity provider as well. This helps prevent users from inadvertently remaining logged in to multiple applications. If you do not enable this option, users will remain logged in to the identity provider even after logging out of Burp Suite Enterprise Edition.
When Burp Suite Enterprise Edition generates a single logout message, it signs it in case the receiving party uses a signature to validate the message.
To configure single logout:
- Generate a self-signed x509 certificate specifically for single logout.
- In Burp Suite Enterprise Edition, navigate to the "SAML" options.
- Under "Relying trust information", copy the Relying party single logout URL. Leave this page open for now.
- Go to your identity provider's admin panel and edit the SAML settings for your Burp Suite Enterprise Edition integration. Paste the URL from your clipboard into the appropriate field.
- Obtain the Single Logout URL from your identity provider. This is the URL to which Burp Suite Enterprise Edition should redirect users when they log out. This may have a different name depending on your identity provider.
- Back in Burp Suite Enterprise Edition, enable the "Use single logout" option.
- Paste the URL that you obtained from your identity provider into the "Identity provider single logout URL" field.
- Paste your self-signed certificate into the "Service provider certificate" field.
- Paste the private key into the "Service provider private key" field.
Some identity providers, such as Okta, require single logout messages to be signed in order to verify that they came from a trusted source. In this case, you may also need to upload the certificate that you generated to your identity provider.