Configuring SAML single sign-on for Burp Suite Enterprise Edition

Burp Suite Enterprise Edition allows you to manage user authentication centrally via SAML-based single sign-on (SSO). This is especially useful for cloud-based deployments. Once configured, users will be able to log in using their existing credentials, removing the need to create and manage dedicated user accounts in Burp Suite Enterprise Edition. Each user’s permissions are then determined by the groups to which they belong.

To configure SAML SSO, you need to establish a trusted connection between the service provider (Burp Suite Enterprise Edition) and your SAML identity provider. Integration with the following providers has been fully tested:

• Active Directory Federation Services (ADFS)
• Okta
• Azure Active Directory

Configuring this connection requires you to perform steps both within the Burp Suite Enterprise Edition web UI and in the administration settings for your identity provider. For exact details of how to perform some of these steps, you may need to consult your identity provider’s documentation.

Add Burp Suite Enterprise Edition to your trusted applications

The first step is to add Burp Suite Enterprise Edition to your identity provider’s list of trusted applications. Please note that this process has various names depending on your identity provider. If you are using Okta or Azure Active Directory, this is known simply as “adding an application”. ADFS. however, refers to “adding a relying party trust”.

1. Log in to Burp Suite Enterprise Edition as an administrator.
2. From the settings menu, select “Single sign-on” and open the “SAML connection” tab.
3. In the “Relying trust information” section, notice that you can copy both the “Relying party trust identifier” and the “Relying party service URL” for Burp Suite Enterprise Edition. You also have the option to copy the “Relying party single logout URL”, but this is not relevant for now.
4. Go to the administration settings for your identity provider. Use the two values from the previous step to add a new application (or relying party trust) for Burp Suite Enterprise Edition. Please consult your identity provider’s documentation for details on how to do this.

Obtain key details from your identity provider

As you will need to enter some details about your identity provider, we recommend gathering this information before you start the configuration in Burp Suite Enterprise Edition. Exactly where you can find this information will depend on your identity provider, but it should be easily available.

Unfortunately, the terminology used by different identity providers can vary dramatically. Where possible, we have provided some commonly used alternative names for the required information.

You will need the obtain the following:

• The identity provider Entity ID. This is the globally unique name for your identity provider that will be sent as the Issuer value in SAML responses. This is usually a URL. Alternative names include “Federation service identifier” and “Identity provider issuer”.
• The identity provider SSO URL. This is the URL to which Burp Suite Enterprise Edition will send users when they choose to log in using SAML.
• The identity provider’s token-signing certificate. Burp Suite Enterprise Edition uses this to verify that the SAML response was genuinely issued by the identity provider. This is known by many different names, including several variations of the following:
  • Identity provider (public) certificate
  • SAML certificate
  • Identity provider public key

Enter your identity provider details

Once you have gathered the required details about your identity provider, the next step is to enter this information in Burp Suite Enterprise Edition.

1. Log in to Burp Suite Enterprise Edition as an administrator. From the settings menu, select “Single sign-on” and open the “SAML connection” tab.
2. In the “Company details” section, enter the name of your organization. This will be displayed in the SSO link on the Burp Suite Enterprise Edition login page.
3. Under “SAML configuration”, select the identity provider to which you want to connect.
4. Use the corresponding fields to enter the identity provider information that you obtained earlier.

Additional identity provider configuration

To complete the configuration, you need to perform some additional steps that are specific to your identity provider.

• Additional configuration for ADFS
• Additional configuration for Okta
• Additional configuration for Azure Active Directory

If you are using an identity provider other than the ones mentioned, you will need to configure how the security groups are sent to Burp Suite Enterprise Edition. The details of this will vary between providers, but here is an example of a group attribute statement, where the group name is “Scan viewers”:

<AttributeStatement><Attribute Name="http://schemas.xmlsoap.org/claims/Group"><AttributeValue>Scan viewers</AttributeValue></Attribute></AttributeStatement>

Configuring single logout

Burp Suite Enterprise Edition also provides optional support for single logout (SLO). When enabled, logging out of Burp Suite Enterprise Edition will automatically log users out of the identity provider as well. This helps prevent users from inadvertently remaining logged in to multiple applications. If you do not enable this option, users will remain logged in to the identity provider even after logging out of Burp Suite Enterprise Edition.

When Burp Suite Enterprise Edition generates a single logout message, it signs it in case the receiving party uses a signature to validate the message.

To configure single logout:

1. Generate a self-signed x509 certificate specifically for single logout.
2. Log in to Burp Suite Enterprise Edition as an administrator. From the settings menu, select “Single sign-on” and open the “SAML connection” tab.
3. Under “Relying trust information”, copy the Relying party single logout URL. Leave this page open for now.
4. Go to your identity provider’s admin panel and edit the SAML settings for your Burp Suite Enterprise Edition integration. Paste the URL from your clipboard into the appropriate field.
5. Obtain the Single Logout URL from your identity provider. This is the URL to which Burp Suite Enterprise Edition should redirect users when they log out. This may have a different name depending on your identity provider.
6. Back in Burp Suite Enterprise Edition, enable the “Use single logout” option.
7. Paste the URL that you obtained from your identity provider into the “Identity provider single logout URL” field.
8. Paste your self-signed certificate into the “Service provider certificate” field.
9. Paste the private key into the “Service provider private key” field.

Reference: https://portswigger.net/burp/documentation/enterprise/administration-tasks/sso/saml