Table of Contents
Summary
SSO simplifies user access management for your Whistic account. We support SAML2 and common IDPs like Okta, Google, Microsoft, Azure AD, and more.
Supported Features:
- SP-Initiated SSO
- SAML2 protocol
- Just-in-Time (JIT) provisioning
Requirements:
- Must be completed by a Whistic Admin
- Organization metadata file
- Choice of role management (Whistic or IDP controlled)
🔧 Self-Serve SSO Setup Steps
Before You Begin:
- Obtain your organization's metadata file
- Choose role source: Whistic-controlled (recommended for smaller teams) or IDP-controlled (recommended for larger teams)
Setup Process:
-
Navigate to
in the top right and select Company Settings
- Scroll down to Single Sign-On Settings
- Paste your metadata file content in the box
-
Select your role source (Whistic or IDP)
- Important: Setting role source to IDP before configuring roles in your IDP can lock users out
- We recommend to not make SSO 'Required' until after a successful user login has taken place
- Click Submit
Generated Links for IT Team:
After setup, provide these links to your IT team:
These links will be generated on the right-hand side directly where you set up SSO.
-
SP Entity ID:
https://auth.whistic.com/auth/realms/yourcompany -
ACS / SSO URL:
https://auth.whistic.com/auth/realms/yourcompany/broker/saml/endpoint -
Metadata:
https://auth.whistic.com/auth/realms/yourcompany/broker/saml/endpoint/descriptor -
Login URL:
https://yourcompany.whistic.com/v2/console/dashboard- Generally, this will need to be added to a field or secondary app that users start each login session with (required).
SSO Required
If you have recently set up SSO or wish to make it required, you can toggle SSO required from the Setup page. Test thoroughly before toggling on "SSO Required" to prevent user lockouts.
Failure to test before enabling SSO requirements will result in users being blocked and unable to authenticate.
Changes to Your SSO Setup
If you wish to make any of the following changes to your SSO setup, please review the following article: (How to Make Updates to your SSO) and contact Whistic Support ((support@whistic.com) where needed:
- Update Role Source
- Update X509 Certificate
- Update Identity Provider
- Delete Setup and Try Again
👥 Role Management Options
Whistic-Controlled Roles
Manage users directly from Whistic User Management.
If you have Whistic-controlled roles and want to enable mandatory SSO, please ensure default roles are set for new users. For details and setup steps, see Sign Up Approval Mode (Default Role configuration) by clicking HERE.
Requirements:
- Basic SSO setup completion with Whistic-controlled roles.
- 'SSO Required' must be enabled.
- Whistic Admin user has access to configure the steps below.
Default Role Setup:
- Go to Settings > Company Settings
- Under Sign Up Approval Mode, check "Allow email addresses from these domains"
- Add approved email domains
-
Define default roles for new users. [Note: This will
not impact existing users]
Role definitions can be found by clicking HERE.
Adding New Users:
- Provision a user within your IDP first
- User visits the company bookmark link to auto-create an account
- Admin adjusts permissions in Whistic User Management if needed
- Default Roles are set up (Sign-Up Approval Modes)
After setting up these two items, new users can visit your bookmark link (companyname.whistic.com) to create their account upon authentication. To change user permissions, a Whistic admin must update them from User Management.
IDP-Controlled Roles
Manage roles through your Identity Provider (recommended for 20+ users).
Requirements:
- Complete basic SSO setup with IDP-controlled roles
- Ensure current users are set as "Managed" and "Activated" in User Management
- Collaborate with SSO Admin for role configuration
SAML Attributes Required:
- emailAddress, firstName, lastName, title, username (must match email)
- Role attribute values can be found HERE and must match exactly (case-sensitive).
- The group name must also match the role attribute, or the permissions will not be passed to Whistic.
Example:
Here are a few User Permission Examples for SSO:
- Admin Permission Assignment/Group = SSO Attribute Value: WhisticAdmin
- Request Questionnaires Permission Assignment/Group = SSO Attribute Value: WhisticRequestQuestionnaires
🔐 User Privileges & SSO Attribute Values
Click any privilege to jump to our permissions guide, which will explain the use case and access details.
| Privileges (Permissions) | SSO Attribute Values |
|---|---|
| Admin (Manager) | WhisticAdmin |
| Access Score Builder (Assessment Adjuster) | WhisticScoreBuilder |
| Request Questionnaires (Assessment Requester) | WhisticRequestQuestionnaires |
| Read Self-Assessment / Whistic Trust Center (Read Only Self Assessment) | WhisticReadSelfAssessment |
| Send Self-Assessment / Whistic Trust Center (Assessment Sender) | WhisticSendSelfAssessment |
| Answer Self-Assessment / Edit Whistic Trust Center (Assessment Respondent) | WhisticAnswerSelfAssessment |
| View Vendor Assessments (Assessment Viewer) | WhisticViewVendorAssessment |
| Review Vendor Assessments (Vendor Assessment Reviewer) | WhisticReviewVendorAssessment |
| Add Vendors / Create Vendors (Add Vendor) | WhisticAddVendors |
| Edit Vendors | WhisticEditVendors |
| Run Reports | WhisticRunReports |
| Override Non-Disclosure Agreement (Override NDA) | WhisticOverrideNDA |
| View Documents | WhisticViewDocuments |
| View Vendors (Read Only Vendor Catalog) | WhisticReadVendorCatalog |
| Knowledge Base / AI | WhisticKnowledgeBaseAndAI |
➕ Adding New Users
In User Management, the Add User button is greyed out if SSO is required. New users can access Whistic in two easy steps:
- Provisioned through the IDP (by your SSO admin)
-
User visits the company bookmark link to create an account.
Additional Details
-
Testing
-
We do not currently offer sandbox/test configurations; only production / live setups.
- When testing user access, do not archive them. Simply make your changes, have the user log in, and then have a Whistic Admin confirm that the changes have been applied in User Management.
-
We do not currently offer sandbox/test configurations; only production / live setups.
-
MFA/2FA
- This is done on your side.
- Individual Whistic user non-SSO MFA/2FA configurations are invalid once SSO is required.
-
Unsupported
- IDP-Initiated Configurations
- SCIM
- SAML IDP groups for managing user permissions
- Logout Redirects
-
Deprovisioning (directly)
- Inactivating, archiving, etc. De-provisioning.
App Logo
If you'd like a thumbnail image for your app thumbnail, you can right-click and save the one below:
❓ FAQ
Setup & Configuration
Questions about initial setup, metadata, and technical requirements
What is SSO XML metadata?
- See the "Identity provider metadata" example here.
What happens if I make changes that affect my metadata?
- Contact Whistic Support or your CSM with a new metadata file. This includes SSO certificate expirations.
Why is a second Okta Bookmark app required and how do I make one?
- Required because we only support SP-initiated sessions. See Okta's guide for creating bookmark apps here.
Does Whistic support Just in Time (JIT) Provisioning?
- Yes. New users are created automatically when using the SSO login link. Previously inactivated/archived users won't be re-provisioned automatically.
User Management & Roles
All questions about managing users, permissions, and role assignments
Do I need to make users Managed?
- Yes. See Unmanaged Users documentation for details.
Why can't I edit in User Management anymore?
- Your team chose IDP-controlled roles. Contact our team for manual changes as needed.
Will default roles apply to old users?
- No, only to new SSO users. Edit existing users manually.
Why are my attribute roles not working?
- Some platforms require roles to be connected with the app. In Okta, validate any role starting with "Whistic" as required for the app (Group Attributes).
Can user groups be submitted via SAML and mapped to roles within Whistic?
- Not currently supported.
Can I use a custom attribute name (like "Roles") instead of "Role" to send permissions?
-
Yes. Whistic matches on attribute values
(like
WhisticAdmin,WhisticRunReports, etc.) rather than the attribute name itself. Your SAML assertion can useRole,Roles,AppRoles, or any other attribute name — as long as the correct values are present, permissions will be assigned correctly. -
This is especially relevant for
Entra ID / Azure AD customers who need
to send multiple roles. Entra ID supports sending an
array of roles more easily using the
Rolesattribute. To send multiple roles, structure your assertion like this:<Attribute Name="Roles"> <AttributeValue>WhisticAdmin</AttributeValue> <AttributeValue>WhisticRunReports</AttributeValue> </Attribute>
- After making this change, we recommend capturing a SAML trace to confirm all role values are being picked up correctly.
SSO Requirements & Limitations
Policy questions about who SSO affects and configuration options
Can SSO be optional for some users?
- No, SSO configurations apply to all company users.
Can requests from other companies be blocked?
- Yes, all company users must meet SSO requirements with no exceptions.
Can I turn off SSO Required after it's enabled?
Yes, but note these effects:
- Users can create limited/unmanaged accounts without SSO
- Default roles may not apply
- Login redirects disabled for SSO users
- New SSO users see extra pages (first time only)
Multiple Instances & IDPs
Questions about connecting multiple systems
Can I connect more than one IDP to my Whistic instance?
- No, but you can make SSO optional to allow both SSO and password login.
Can I connect more than one Whistic instance to my IDP?
- Yes, with unique metadata for each instance.
Troubleshooting
Error messages, login issues, and problem resolution
Why am I getting update account or registration pages?
- Either SSO Required is disabled or attributes aren't being passed correctly. Check attribute mapping configuration.
Why am I being redirected to a non-SSO login page after signing in through SSO
Workaround options:
- Log in with old password once, then toggle to SSO company here
- Contact our team for guidance
- Grant us permission to access and fix the account
- Request dev team to change default login company
Why am I getting errors?
- 403: User not granted access by SSO Admin
- 404 (invalidFederatedIdentityAction): Expired/invalid certification – provide updated metadata
- 500 Internal Server: Bookmark link not used, attribute mapping mismatch, or incorrect IDP application of Whistic links
- "Account already exists": Username doesn't match email. Contact us or configure Application Username Format to Email.