Guides

Setting Up SSO

This ability is limited to team members with the Admin role.

Suggest Edits

Manifest integrates with your SSO provider for authentication in a few easy steps. Please reach out to one of our team members on instant messenger or email us at [email protected] to get you started.

The email domain used in SSO might not be the same as your Manifest Cyber domain configured, to be able to use SSO with your organization domain, you must have your IdP email configured on the Manifest Platform.
For example, if your external email is [email protected] but you have an Azure IdP email and sign in with [email protected], both your email domains, bar.com and bar.biz will need to be allowed for your organization in Manifest.

Getting Started

Step 1: Receive a unique redirect URI from Manifest to enter into your IDP. Manifest will send you your unique redirect URI when you are ready to kick off SSO configuration.

Step 2: Create a new application registration in your IDP using the URI provided by Manifest.

Step 3: Once you have successfully created the application in your IDP, you will need to provide Manifest with the information listed below. For security purposes, please do not email or instant message us with this information. We will ask for these details during our SSO setup call. If a setup call is not possible, we can determine a method for secure sharing of this information that works for both teams.

  • [Client ID]
  • [Client Secret]
  • [Issuer URL]
  • For AzureAD, look for the name: [Directory (tenant) ID].
    https://sts.windows.net/$DIRECTORY_TENANT_ID/ NOTE: the closing “/” is essential.
  • Optional[Claims]
    List of claims available on your tokens. Token claims give us information about the appropriate data mapping for your setup.
  • [Scopes]
    List of scopes you consent to providing. Most scopes are optional, but we generally recommend including the following scopes (or their equivalents in your IDP): [email],[profile],[openid].

Step 4: To enable the OIDC Connect to properly work, your application need to expose some graph permissions.

  1. Go to API Permissions
    Click on + Add Permissions -> Click on Microsoft Graph -> click on Delegated Permissions
  2. Search for OpenID.
  3. Click on Add permissions.

Step 5: Your application now have the sufficient permissions, now we need to make sure we expose the correct data into the token.

  1. Click on Token Configuration -> Click on +Add Optional Claim
  2. On the drawer, select ID token and pick preferred_username

Please note that different settings have different fields, please contact us if your identifying email is exposed under a different property.

On our end, we use this snippet to map your IdP token into internal Manifest schema:

local claims = std.extVar('claims');{ identity: { traits: { userId: if std.objectHas(claims, 'sub') then claims.sub else error "Missing userId", email: if std.objectHas(claims, 'preferred_username') then claims.preferred_username else if std.objectHas(claims, 'email') then claims.email else if std.objectHas(claims.raw_claims, 'upn') then claims.raw_claims.upn else error "Debug info: No valid email found. Claims object: " + std.toString(claims), name: if std.objectHas(claims, 'name') then claims.name else "", givenName: if std.objectHas(claims, 'given_name') then claims.given_name else "", familyName: if std.objectHas(claims, 'family_name') then claims.family_name else "" } } }

Updated about 1 month ago