Company logoHelp Center
Visit www.threatlocker.com

SAML Integration

4 min. readlast update: 03.17.2026

Users can configure a single Identity Provider within a SAML integration. 

Note: ThreatLocker does not support IdP-initiated SAML. For more information about why, please see the 'IdP-Initiated SAML' section located at the bottom of this article.

Note: In your SAML Identity Provider, you will need to use the Entity ID: 

https://threatlocker.com

Additionally, in your SAML Identity Provider, you will need the Assertion (ACS URL) provided in the Assertion section of the SAML integration sidebar.

How to Configure the SAML Integration

To set up your SAML Integration, in the ThreatLocker Portal, navigate to the left side of the page and hover over the 'Manage' icon. Then, select 'Integrations' from the menu.

On the 'Integrations' page, use the search bar at the top and enter 'saml'. Then, select 'SAML' from the dropdown.

Selecting 'SAML' will open the 'Add SAML Integration' sidebar. Under the 'SAML Details' section:

  1. Description - Enter a description into the provided field for your SAML integration.
  2. Issuer - The Issuer is https://threatlocker.com, which may be requested by the SAML Identity Provider.
  3. Assertion - The Assertion is the Assertion URL (ACS URL) that may be requested by the SAML Identity Provider.

Now in the 'Settings' section, the following fields must be obtained from the SAML Identity Provider:

  1. Sign-On URL - The Identity Provider endpoint to which the SAML Request must post - The IdP sign-on page.
  2. Issuer - The globally unique name of your IdP.
  3. Signature Algorithm - Select between the following options:
    • SHA-256
    • SHA-512
  4. Certificate - Identity Provider-generated X509 Certificate.
    • This is needed for ThreatLocker to verify that the SAML Assertion is coming from the trusted Identity Provider.
    • The Certificate Signature Algorithm must be either SHA-256 or SHA-512, and it must match the Signature Algorithm you selected above.

Once this information has been entered, select the 'Add' button at the bottom of the page.

Enabling SSO

Important: Do NOT enable the option to 'Enforce SSO / Disable Local Login' until after you are able to test and confirm your SAML login works.

To enable SSO, using the left-hand side of the page, hover over the 'Manage' icon and select 'Users'.

On the 'Users' page, navigate to the top right-hand side and select the hamburger menu to the right of the 'Invite User' button. This will open the 'Additional Options' menu. Select 'Login Settings' from the list of options.

Selecting the 'Login Settings' button will open the 'Login Settings' sidebar for your organization. Under the 'Login Restrictions' section, ensure that the 'Allow SSO' switch is turned ON.

Once done, select the 'Save' button at the bottom of the page.

Note: When SAML is disabled, any user who had SAML enabled to sign in will need to reset their password, as they will not have a valid login for ThreatLocker.

Connecting SAML to ThreatLocker

Prior to signing in with SAML, you must reset the user's password. To do so, using the left-hand side of the page, hover over the 'Manage' icon and select 'Users'.

On the user's page, select the checkbox next to each user you would like to connect to SAML. Once all desired users are chosen, select the 'Password Reset' button at the top of the users list.

Confirm that you would like to email a Reset Password Link to the selected Administrators. Selecting 'Yes' will send an email to the selected accounts from noreply@threatlocker.com with the password reset link.

Selecting this link will direct the user to create a new password for their account. Within the 'Create New Password' window, users should select the 'SAML' button.

A new window with a field to enter your SAML Email Address will populate. Here, insert the SAML email address and select the 'Verify with SAML' button.

After selecting this button, you will be prompted to log in. Once successful, the administrator will see the prompt to input their MFA code.

Signing in with the SAML Integration

To sign in using the SAML integration, start by entering your email/username into the portal login page.

If the integration is set up correctly, the SAML button will appear below the login fields.

Select the 'SAML' button to sign in.

IdP-Initiated SAML

For security purposes, ThreatLocker does not support IdP-initiated SAML. With IdP-initiated SAML, there is no SAML Request, so we cannot verify whether the assertion was stolen. A stolen assertion issued by an IdP will appear valid. It will be issued by the expected issuer and signed with the expected key. This means that we cannot prevent assertion theft and injection.

For more information about the risks and dangers of using IdP-Initiated SAML, please see the following articles:

https://www.identityserver.com/articles/the-dangers-of-saml-idp-initiated-sso

https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/identity-provider-initiated-single-sign-on

Was this article helpful?