AppCheck supports Security Assertion Mark-up Language (SAML) for Single Sign On (SSO).

The AppCheck SSO implementation has been tested and is currently supported against SAML implementations from Microsoft Entra and Okta.  SAML based solutions from other providers have not been tested but should be compatible provided that they adhere to the SAML standard.

AppCheck supports Service Provider (SP) Initiated SSO, meaning you are required to enter your username (email address) to log in to AppCheck.  Identity Provider (IDP) Initiated SSO, where you follow a link from your IDP to be logged into the service without entering a username is not currently supported.

Configuring SSO for Signing in to AppCheck

If using Microsoft Entra or Okta follow the appropriate guide in our Help Centre:

• Configuring Microsoft Entra ID (Formerly Azure AD) SSO for AppCheck
• Configuring Okta SSO for AppCheck

If using another IDP you will need to ascertain the correct process and values yourself, though the above guides may be a useful reference.  The basic steps are as follows:

1. Raise a ticket with AppCheck Support to have the feature enabled for your account.

2. Once AppCheck support have confirmed the feature has been enabled, complete the configuration in the AppCheck scanner portal at Settings, SSO Settings:
   
   You will need an Admin user in AppCheck to do this.
3. Complete the configuration in your IDP's configuration tool.
4. Assign users to the appropriate group in your IDP if required.
5. Test the settings in AppCheck.
6. Save the settings in AppCheck.

Signing in to AppCheck Once SSO is Enabled

Once completed, the process for signing in to AppCheck will change.

After entering your username in AppCheck:

1. If you are not already signed in to your IDP, you will be redirected to your IDP's sign in portal.
2. Once signed in to your IDP, your IDP will determine whether you are permitted access to AppCheck.  If you are not, then you will need to contact your IDP administrator.
3. Once authorised by your IDP, if you already have a user in AppCheck, or "Automatically create an AppCheck account..." is enabled in your Organisation Settings (and your email address matches the specified domain), you will be signed in to AppCheck.