1Kosmos integrates with Thycotic Secret Server as a SAML 2.0 identity provider, adding biometric passwordless authentication to privileged credential vault login.
Integration type
SSO
Updated
Overview
Thycotic Secret Server (now part of Delinea) is a privileged access management vault for enterprise credentials. It supports SAML 2.0 authentication, allowing stronger authentication at the PAM layer. 1Kosmos integrates as the SAML identity provider, requiring biometric verification before users access vaulted credentials and privileged sessions.
Secret Server's SAML configuration is accessed through the Admin Console under Configuration → SAML. The configuration requires uploading the 1Kosmos IdP metadata file and generating a server-side certificate that 1Kosmos uses to validate SAML requests. The SP ACS URL for Secret Server follows the pattern https://[hostname]/SecretServer/SAML/AssertionConsumerService.aspx. Secret Server provides a fallback local login URL for administrators in case SSO is misconfigured.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Thycotic Secret Server administrator access: Admin access with the Administer Configuration SAML role permission assigned. Without this role, the SAML configuration section will not be accessible.
User accounts in Secret Server: Users must exist in Secret Server (locally or via LDAP sync) before they can authenticate via SSO. SAML authentication links to existing user records by username or email.
1Kosmos mobile app installed: Users must have the app on iOS or Android with biometrics enrolled before testing.
Configuration values
Values to collect from 1Kosmos AdminX (IdP) for Secret Server:
Field | Where to find it |
|---|---|
SAML Metadata XML file | AdminX → Settings → IdP Configuration → Metadata URL (download XML) |
SSO URL | AdminX → Settings → IdP Configuration → Single SignOn Service URL |
IdP Entity ID | AdminX → Settings → IdP Configuration → Core Configuration |
Signing Certificate (PEM) | AdminX → Settings → IdP Configuration → View Certificate → Public Key |
Secret Server SP values to enter in AdminX:
Field | Pattern |
|---|---|
ACS URL | https://[hostname]/SecretServer/SAML/AssertionConsumerService.aspx |
SP Entity ID | Configured in the Secret Server saml.config file (typically a URN or the hostname URL) |
Integration steps
Step 1: Generate a SAML certificate in Secret Server
Log in to Secret Server as an administrator and navigate to Admin → Configuration → SAML.
Enable SAML by checking the Enable SAML SSO checkbox.
In the SAML Service Provider Settings section, generate or upload an X.509 certificate. This certificate is used by 1Kosmos to verify SAML requests from Secret Server. Download the certificate for use in AdminX if required.
Note the Service Provider Entity ID configured here. This value goes into the saml.config file on the Secret Server host.
Step 2: Create a new Identity Provider in Secret Server
Still on the Admin → Configuration → SAML page, click Create New Identity Provider.
Upload the 1Kosmos SAML metadata XML file. The system parses the metadata and populates the endpoint URLs and certificate automatically.
Click Save. Note the local login URL displayed at the bottom of the SAML page — this is the bypass URL for administrators if SAML is misconfigured.
Step 3: Add Secret Server as a SAML application in AdminX
Log in to the AdminX portal and navigate to Applications → Add Application.
Select SAML 2.0 Generic and click Add integration. Enter "Secret Server" as the Application Name and your Secret Server URL as the Application Access URL.
Set NameID Format to
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressand NameID Value to email. Add claims for email and username. Enable Assertion signing.Enter the Secret Server ACS URL and SP Entity ID. Click Save.
Step 4: Test the integration
Navigate to your Secret Server URL. Click the SSO login option. You are redirected to 1Kosmos for biometric authentication.
Authenticate using the 1Kosmos mobile app and confirm you are logged in to Secret Server with the appropriate role and access entitlements.
Verify that the local login fallback URL still works for administrator bypass access before enforcing SSO for all users.
Attribute mappings
Source (1Kosmos) | Target (Secret Server) | Description |
|---|---|---|
user.email | NameID (emailAddress) | Must match the Secret Server user's username or email |
Integration notes
Thycotic Secret Server merged with Centrify in 2021 to form Delinea. The product continues to operate as Delinea Secret Server.
The SAML configuration path and SP values described here apply to both Thycotic-branded and Delinea-branded deployments. Secret Server Cloud (SaaS) and on-premises Secret Server both support SAML SSO, but the configuration screens may differ slightly between versions.
Refer to the Delinea documentation at docs.delinea.com for version-specific configuration details if your screen layout differs from what is described here.
