Rapid7 SAML Integration Guide
Suggest an editPrerequisites
- Platform Administrator access to your Rapid7 organization
- A SplitSecure Identity Provider created and approved
- Access to the Rapid7 Command Platform Administration settings
- A separate browser or browser profile with SplitSecure configured (for testing)
Rapid7 Configuration
SSO authentication is the most secure way to access your Platform solutions and the Customer Portal. However, once your users sign in via SSO for the first time, they will no longer be able to use the Command Platform sign-in using a standard email and password combination. If you turn off SSO, all SSO users will lose the ability to login to the Command Platform. We strongly recommend you retain at least one local Platform Administrator to support SSO configuration or troubleshooting, ensuring you can still access your Command Platform account in the event that your SSO is unavailable.
1 Access SSO Settings in the Command Platform
- From the left menu of the Rapid7 Command Platform Home page, click the Administration link (gear symbol)
- In the left menu of the Administration page, click Authentication Settings
- Click the SSO Settings tab in the Authentication Settings section
- Click the Set up SSO button
2 Configure your SSO IdP
Fill the form with the following information:
Under Select Identity Provider (IdP) Select Other.
Under Add your IdP Certificate, upload the IdP certificate which can be found in SplitSecure at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Certificate (.pem).
Under Copy the Following Data Into your External IdP, note the Relay State value—you will need this when configuring SplitSecure later.
Under Provide the Required Fields From your IdP, enter the values found in SplitSecure at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details. Enter the following:
| Rapid7 Field | SplitSecure Details page |
|---|---|
| Entity ID | SAML IdP Entity ID |
| Single Sign-On Service URL | SSO URL (POST) |
- Under Default Access Profile, select the access profile that will be automatically assigned to users when they first log in via SSO. This determines their initial permissions within the Rapid7 platform.
IdP Group Synchronization (Optional)
Rapid7 supports IdP group synchronization, allowing automatic group assignment based on SAML assertions
- Create the required groups in Rapid7 first
- Enable IdP Group Synchronization in the SSO Settings
SplitSecure supports IdP group synchronization with Rapid7. When groups are specified when authenticating on SplitSecure, they will be automatically added to the user. Groups not specified in the assertion will be automatically removed from the user, ensuring group membership stays in sync with your identity provider.
3 Save Configuration
Click Submit and turn on SSO to complete the Rapid7 SSO configuration.
4 Download Metadata File
- At the top right corner of the Single Sign-On (SSO) Settings card click Download
- The resulting file should be metadata.txt (despite being an XML file). Rename the file to have the extension .xml
SplitSecure Configuration
1 Create a Secure Account
- In SplitSecure, navigate to Secure Accounts → Create Account
- Select Rapid7 (or Generic SAML if Rapid7 is not listed)
- Enter a name for the account (e.g.,
Rapid7 Secure Account) - Select your Identity Provider
- Upload the metadata XML file downloaded from Rapid7
- Enter the Relay State value copied from Rapid7
- Click Create Account
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
If a user does not exist in Rapid7, they will be automatically created upon their first SSO login. The user will be assigned the Default Access Profile configured during setup.
Do not test SSO authentication with your backup local Platform Administrator account. Once a user signs in via SSO for the first time, they will no longer be able to use the Command Platform sign-in using a standard email and password combination. Use a different user account for testing to preserve your emergency access.
1 SP-Initiated SSO (User starts at Rapid7)
- Navigate to https://insight.rapid7.com
- Click Sign in with SSO or enter your organization’s SSO domain
- You will be redirected to SplitSecure
- Authenticate with your SplitSecure credentials
- You should be redirected back to Rapid7, logged in
2 IdP-Initiated SSO (User starts at SplitSecure)
- Navigate to SplitSecure
- Go to Secure Accounts
- Click on your Rapid7 Secure Account
- Click Authenticate or Launch
- You should be logged directly into Rapid7
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| User cannot authenticate | User doesn’t exist and auto-provisioning disabled | Enable auto-provisioning or create user manually in Rapid7 |
| Certificate error | Certificate mismatch or expiration | Re-download the certificate from SplitSecure and update in Rapid7 |
| Relay State error | Relay State value mismatch | Verify the Relay State value matches exactly between Rapid7 and SplitSecure |
| User assigned wrong access profile | Default Access Profile misconfigured | Update the Default Access Profile in Rapid7 SSO settings |
| Group memberships not syncing | IdP Group Synchronization not enabled | Enable IdP Group Synchronization and ensure groups exist in Rapid7 first |
| Locked out after SSO misconfiguration | No local Platform Administrator retained | Contact Rapid7 support; always retain at least one local admin account |
External Resources
- Single Sign-On Documentation — SSO setup and configuration
- Platform Administration — Platform administration settings
- User Management — User provisioning and permissions
- Group Management — RBAC group configuration