Service Provider initiated login using an external Identity Provider

Service Provider (SP) Initiated Login gives users in your organization the ability to use the Command Platform sign-in page to sign in to the Command Platform using the single sign-on source configured in your Command Platform company settings. This SP Initiated Login functionality works with any existing single sign-on source you may have configured already. Deploy SP Initiated Login to provide your users with a simpler user experience and to maintain compliance with existing authentication policies that apply to your organization.

To deploy SP Initated Login for your existing single sign-on source:

  1. Navigate to the Command Platform sign-in page.
  2. Click the Sign in with SSO button shown under the regular Sign In button, as shown below.

SP sign in page

  1. Enter your email address in to the provided field.
  2. Click the Sign in with SSO button.
  3. You will then be redirected to your external Identity Provider to complete the sign-in process.

Consult your Identity Provider documentation

Rapid7 will not be able to provide troubleshooting support for external Identity Provider software. Consult your software vendor's documentation thoroughly to ensure that you deploy this functionality properly. If you encounter an error while completing the sign-in process through your external Identity Provider, contact your external Identity Provider vendor for troubleshooting assistance.

If you choose the Sign in with SSO option but your company has not yet configured a single sign-on source, you will be redirected back to the local sign-in page where you will need to provide your standard Rapid7 account email address and password, as shown below.

Redirected Login

Verify that your SSO URL is correctly configured

The single sign-on URL in your current Command Platform authentication settings must be correctly configured for SP Initiated Login to work. The single sign-on URL is the endpoint provided by the Command Platform where SAML responses are posted. The Command Platform needs to provide this information to the Identity Provider.

Some Identity Provider software vendors may refer to this parameter differently, such as a "User Access URL" (used by Azure), an "Assertion Consumer Service URL", among others. You can verify that the single sign-on URL is correct by trying to navigate to the URL directly after you have completed the configuration in your Command Platform authentication settings. It should direct you to the Command Platform in the same manner as if you were to click the Sign in with SSO option from the login page.