SAML Integration

3 min. readlast update: 05.20.2024


Users have the ability to configure one Identity Provider within a SAML integration. 

Note: ThreatLocker does not support idP-initiated SAML. For more information about why, please see the 'idP-Initiated SAML' section further down in the article.
Note: In your SAML Identity Provider, you will need to use the Entity ID:
Note: In your SAML Identity Provider, you will need the Assertion (ACS URL) provided in the Assertion section of the SAML integration sidebar.

How to Configure the SAML Integration

To begin, navigate to the ThreatLocker portal.

From the left-hand navigation menu, click ‘Integrations’ and under 'Add New Integrations', select the SAML icon.  



The Update SAML Integration panel will slide in on the right side of your screen.

  1.    Fill in the desired Description for the SAML integration.
  2. The Issuer is, and may be requested by the SAML Identity Provider.
  3. The Assertion is the Assertion URL (ACS URL) that may be requested by the SAML Identity Provider.

The following fields must be obtained from the SAML Identity Provider:

4.   Sign-On URL: The Identity Provider endpoint which SAML Request must post to. (idP sign on page)

5.  IssuerId: The globally unique name of your idP .

6.  Certificate: Identity Provider generated X509 Certificate. 

    • This is needed for ThreatLocker to verify that the SAML Assertion is coming from the trusted Identity Provider.
    • The Certificate Signature Algorithm must be SHA-256.

Click the '+ Add SAML' button.


Enabling SSO


Navigate to the Login Settings found on the Administrators page and toggle on the Allow SSO.





When SAML is disabled, any user who had SAML enabled to sign in will need to reset their password, as they will not have a valid login for ThreatLocker.

Connecting SAML to ThreatLocker

Prior to signing in with SAML, you must reset the chosen administrator's ThreatLocker password.

Navigate to the Aministrators page and select the check box next to the administrator(s) you would like to connect to SAML. Once the desired administrators are selected, select the 'Password Reset' button.


Confirm that you would like to email a reset password link in the corresponding popup.



The selected administrators will receive an email from with a reset password link. 


The link will direct the user to confirm their new password. On this page, users should select the SAML button.


In the 'Confirm your new ThreatLocker Account' popup, insert the SAML email address and select 'Verify with SAML'.



Follow the prompts to login. Once successful, the administrator will see the prompt to input their MFA code.

Signing in with the SAML Integration

To sign in using the SAML integration, start by entering your email/username into the portal login page as usual.

If the integration is setup correctly, the SAML button will appear below the login fields.



Click the SAML button to sign in.

idP-Initiated SAML

For security purposes, ThreatLocker does not support idP initiated SAML. With idP-initiated SAML, there is no SAML Request which means that we cannot truly verify if the assertion was stolen. A stolen assertion initiated from an idP will appear to be valid. It will be coming from the expected issuer and it will be signed with the expected key. This means that we cannot prevent assertion theft and injection.

For more information about the risks and dangers of using IdP-Initiated SAML, please see the following articles:

Was this article helpful?