Single Sign On Support
Single Sign-On Support for GreyNoise Visualizer
GreyNoise supports SSO (Single Sign-On) as an authentication method for the GreyNoise Visualizer.
Feature Availability
The Single Sign-On feature is available to all GreyNoise customers with a paid subscription and across all platform tiers (Standard, Advanced, and Elite).
Supported Identity Providers
The Single Sign-On feature currently supports the following Identity Providers:
- Okta
- Custom SAML 2.0
- Custom OIDC
How to Set Up Single Sign-On
To initiate the process of enabling SSO for the GreyNoise Visualizer, customers should reach out to their dedicated Customer Success Manager or email [email protected].
Once your account is approved for SSO, the Customer Success team will provide comprehensive instructions for integrating your SSO provider with the GreyNoise Visualizer.
Pre-Requirements
- Administrative access to your IdP
- Ability to create/manage groups in your IdP
- Authority to configure SAML/OIDC applications
User Sign-On Follow
The following provides an example of what an SSO sign-on experience for users may look like for someone with Okta configured as their IdP.
Configuring Single Sign-On (SSO) for GreyNoise
SSO setup is self-service: GreyNoise generates a one-time setup link for your organization, and an administrator from your team uses that link to connect your IdP directly — no back-and-forth exchange of certificates or metadata with GreyNoise support is required.
Supported providers
| Connection type | Notes |
|---|---|
| Okta Workforce | Native Okta integration (OIDC-based) |
| OpenID Connect (OIDC) | Any OIDC-compliant IdP (Entra ID, Google Workspace, Ping, etc.) |
| SAML 2.0 | Any SAML 2.0-compliant IdP |
How setup works
- Request SSO from your GreyNoise account team. We need one thing:
- The email domain(s) your users sign in with (e.g.
example.com)
- The email domain(s) your users sign in with (e.g.
- GreyNoise sends you a setup link. The link is valid for 5 days by default. If it expires before you finish, ask us to issue a new one.
- Your IdP administrator opens the link and follows the guided setup for your provider (Okta Workforce, OIDC, or SAML).
- GreyNoise finalizes the connection automatically. When your setup completes, our systems apply the required attribute mappings and enable Visualizer login for the connection. This typically takes effect within a few minutes — no action is needed on your side.
- Users sign in. Anyone entering an email address on one of your registered domains on the Visualizer login page is routed to your IdP.
What your IdP must send
GreyNoise provisions user accounts just-in-time on first login and keeps them updated on every subsequent login, using the attributes below.
| Attribute | Required | Used for |
|---|---|---|
email | Yes | Account identity. Must be on one of your registered email domains. |
given_name | Recommended | User's first name |
family_name | Recommended | User's last name |
name | Recommended | User's full display name |
groups | Optional — only needed to grant access to workspaces beyond the default (see below) | Workspace access assignment |
Okta Workforce and OIDC connections
GreyNoise requests the following scopes from your IdP:
openid email profile groupsYour IdP must allow these scopes for the GreyNoise application/integration and return the claims below:
| Claim | Source |
|---|---|
email | ID token |
name | ID token |
preferred_username | ID token |
given_name | UserInfo endpoint |
family_name | UserInfo endpoint |
groups (optional) | UserInfo endpoint |
Most IdPs require explicit configuration to send a groups claim:
- Okta: add a Groups claim to the authorization server / app integration. A filter such as starts with
gn_limits the claim to GreyNoise-relevant groups (recommended). - Microsoft Entra ID: configure Token configuration → Add groups claim, or use an app role / group filtering so only relevant groups are emitted.
- Other OIDC IdPs: ensure the
groupsscope (or your IdP's equivalent group-release mechanism) returns the user's group names from the UserInfo endpoint.
The groups value may be sent either as a JSON array of strings or as a single
comma-separated string — both are accepted.
SAML connections
Your SAML assertion must include the user's email address and, for multi-workspace connections, a groups attribute. Use the attribute names below in your assertion:
| SAML attribute | Required |
|---|---|
email | Yes |
given_name | Recommended |
family_name | Recommended |
name | Recommended |
groups | Optional — only needed to grant access to workspaces beyond the default |
Workspace access
Default behavior — no groups required
This is the most common setup. Every SSO connection has a default workspace: the workspace the connection was created for. When a user signs in through SSO without any GreyNoise group information, they are automatically granted access to that default workspace — and only that workspace.
If your organization has a single GreyNoise workspace, this is all you need.
You do not need to configure or send a groups attribute.
Assigning users to additional workspaces with groups
If your organization has multiple GreyNoise workspaces behind one SSO connection, use IdP group membership to control which workspace(s) each user can access:
-
GreyNoise provides you a group name for each of your workspaces, in the format:
gn_<workspace-id>For example:
gn_e0e90a48-5db0-4776-a1fa-9da39b849b4f -
Create matching groups in your IdP (the names are matched case-insensitively, so
GN_...is also fine). -
Assign each user to the group(s) for the workspace(s) they should access.
-
Ensure your IdP releases these groups in the
groupsclaim/attribute (see provider notes above).
A user who signs in with gn_ groups gets access to exactly the workspaces named by those groups. A user who signs in without any gn_ groups gets the default workspace, as described above.
Group membership is evaluated on every login. Adding a user to a group grants workspace access at their next sign-in; removing them from a group revokes that workspace access at their next sign-in. Group names that don't start with gn_, or that don't correspond to one of your connection's workspaces, are ignored.
Account provisioning details
- Just-in-time provisioning: user accounts are created automatically on first SSO login. You do not need to pre-register users with GreyNoise.
- Profile sync: email, first name, last name, and display name are updated from your IdP on each login.
- No SCIM: deprovisioning a user in your IdP prevents future logins to GreyNoise, but does not delete their GreyNoise account. Removing a user from a
gn_group revokes that workspace's access on next login; a user with nogn_groups reverts to the connection's default workspace.
Troubleshooting
| Symptom | Likely cause |
|---|---|
| Setup link no longer works | Link expired (5-day default) or was already used. Request a new link. |
| User has access to the default workspace but not the expected one | The groups claim isn't being released by the IdP, the user isn't in the right gn_ group, or the group name doesn't match gn_<workspace-id> exactly. Users with no gn_ groups fall back to the connection's default workspace. |
| User isn't routed to the IdP at login | The email domain entered isn't one of the domains registered for the connection. Contact GreyNoise to add domains. |
| Group changes not taking effect | Workspace assignment updates at the user's next login — have the user sign out and back in. |
Support
For help or inquiries regarding the Single Sign-On feature, please contact [email protected].