Configuring SAML and SCIM for Portswigger Burp Suite


This knowledge base article describes how to control administrator access to the Portswigger Burp Suite via SAML roles.

Prerequisites

Note: SCIM is only supported with PortSwigger Burp Suite Enterprise Edition, and deleting SCIM-provisioned users or groups within Burp Suite requires you to delete your corresponding Burp Suite SCIM integration.

  1. Log into Burp Suite Enterprise as an admin and click the gear icon for Settings. Go to Integrations, then click Configure under SCIM User management.

    Burp Suite - SCIM User management

  2. Enter a SCIM URL Port using the settings required by your firewall, then check Use TLS (recommended) to then upload your P12 certificate.

  3. Click Save & generate API token and copy down the SCIM token that appears. You'll be copying multiple values to paste from Burp Suite to OneLogin

    Burp Suite - SCIM token

  4. Also copy down the Burp Suite SCIM URL. It will be in this format: https://host:port/scim/v2).

  5. Return to Integrations and click Configure under SAML User management.

    Burp Suite - SAML User management

  6. Copy down the Relying party trust identifier and Relying party service URL values and paste them somewhere safe for later retrieval, then enter a name for Company details. Leave this browser tab open.

    Burp Suite - Relying trust information

  7. In a new tab, sign in to your OneLogin admin portal. Go to Users > Roles and create a Role for each of your corresponding Burp Suite groups.

    OneLogin - Roles
    In this example, note how each Role's name begins with Burp Suite; we recommend using this or a similar naming scheme to make your mappings easier in a later step.

  8. Go to Applications > Applications, click Add App, and search for and select SCIM Provisioner with SAML (SCIM v2 Core). Enter a relevant display name, such as "Burp Suite" and Save the new app.

  9. Click Configuration.


    • Paste the values you copied from Burp Suite into the following fields:

      Burp Suite OneLogin
      Relying party trust identifier SAML Audience URL
      Relying party service URL SAML Consumer URL
      SCIM URL SCIM Base URL
      SCIM API token SCIM Bearer Token

    • In the Custom Headers field, enter Content-Type: application/scim+json.

    • In the SCIM JSON Template field, enter:

      {
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "userName": "{$parameters.scimusername}",
  "name": {
    "givenName": "{$user.firstname}",
    "familyName": "{$user.lastname}"
  },
  "emails": [
    {
      "value": "{$user.email}",
      "primary": true,
      "type": "work"
    }
  ],
  "displayName": "{$user.display_name}",
  "groups":[]
}
    OneLogin - Configuration

  10. Go to Parameters and map the relevant attributes from Burp Suite to your OneLogin values.

  11. Go to Rules and click Add Rule to map your application to Burp Suite.

    OneLogin - Parameters
    In this example, the rule uses REGEX to search for any OneLogin Role that starts with Burp Suite, so it will easily find the Roles created previously.

  12. Go to SSO, open More Actions, and select SAML Metadata to download the OneLogin application metadata.

    OneLogin - SSO

  13. Return to your Burp Suite tab, leaving your OneLogin tab open. Go to SAML configuration, click Import metadata, and upload the file you just downloaded from OneLogin.

    Burp Suite - Upload IDP metadata

  14. Confirm that all three Burp Suite SAML configuration fields have been populated with information that matches your OneLogin application configuration, then toggle Use Single logout to Off and click Save.

    Burp Suite - SAML configuration

  15. Switch back to your OneLogin tab and return to Configuration. Click Enable under API Connection.

    OneLogin - API Connection

  16. Go to Provisioning, check Enable provisioning checkbox, and click Save. You can now assign users to your OneLogin Burp Suite app.

    OneLogin - Provisioning
    Note: We recommend that you leave Require admin approval before this action is performed checked for all three actions so that you can test user and group provisioning. Once you've successfully completed your testing, you can update them to best fit your user provisioning needs.

  17. Go to Users, select your initial test users and Approve each provisioning prompt.

    OneLogin - Users

  18. Confirm that your users and groups are successfully provisioned in both OneLogin and Burp Suite.

    Burp Suite - Users and Groups

  19. Your configuration is now ready to be tested.


    • For an IdP-initiated test, use a separate browser or incognito browser session to click the Burp Suite app icon from your OneLogin dashboard.

      OneLogin Portal - Burp Suite

    • For an SP-initiated login test, use a separate browser or incognito browser session to go to your Burp Suite website (e.g. https://burpsuite.your-company.gq:8080) and click Login under Sign in with Your Company.

      Burp Suite - Login