Skip to main content

Organizations: FAQs about SSO via SAML

Updated over a week ago



What is your metadata endpoint?

Do you support Just In Time (JIT) provisioning?

Yes, you can read more about JIT Provisioning here.

What happens to my existing 2FA and password?

Your 2FA and password settings will be deleted, and you'll only be able to log in with SSO when you're migrated. The SSO provider is expected to handle 2FA.

Do you support SAML and password login?

No, once a user is SAML enabled, they won't be able to log in with their password.

Is SAML configurable on a per-user basis?

No, all users belonging to a SAML-enabled domain will be required to use SAML authentication.

Do you support custom session times?

Yes, HackerOne will respect the SessionNotOnOrAfter attribute if provided during authentication. This will allow you to customize the length of the session up to an upper bound of 2 weeks. If you provide this value, it'll be the source of truth and the remember me will be ignored.

Do you support Single Logout?

No, we don't support single logout at this time.

What happens to users on my team that don't belong to our claimed domain?

Turning on SSO will only affect users of the claimed domain. Any users that are using e-mail addresses on other domains will not be affected.

What is your NameID format?


What is your Entity ID?

What is your ACS URL?

What are your attribute fields?

User.firstName (First Name) and User.lastName (Last Name). You can read more details about what is available here.

Do you support IDP or SP-initiated login?

We support both IDP and SP-initiated login.

What SAML bindings do you support?

We support POST binding.

What is the session length?

The default session length is 1 hour, but extendable while the user is active. If the user sets "Remember Me" the session will be active for 2 weeks.

Did this answer your question?