MISP SSO Login: A Basic Guide (2025)

If you’ve worked with cyber threat intelligence (CTI) for any length of time, you’ve probably run into one or both of the MISP and STIX data formats.

Both are popular open source machine-readable (JSON) standards for sharing threat intelligence in a structured format.

Look under the hood for even a moment, though and you’ll find that while their aims are similar, they approach the problem of describing cyber threats in significantly different ways.

Published Oct 29, 2025.

MISP Just Got Better: Why the New Hybrid Login is a Hidden Win for Security Operations

The Malware Information Sharing Platform (MISP) is the backbone of threat intelligence for countless organizations. It's a critical tool, and the devil is often in the details—or in this case, a small, yet powerful, change to how you log in.

A recent quality-of-life improvement, introduced in MISP v2.5.11 and enhanced in v2.5.12, has fundamentally streamlined how security teams manage authentication. The feature? The ability to use both local logins and Single Sign-On (SSO) simultaneously.

The SSO Security Tug-of-War (The 'Before')

Before this update, organizations faced a classic security dilemma when implementing MISP: authentication was an all-or-nothing proposition.

To enforce modern security best practices like multi-factor authentication (MFA) and centralized access control across the organization, many teams needed to enable SSO. Tools like SAML or OpenID Connect integrate MISP with corporate identity providers (like Azure AD or Okta).

The problem was that once SSO was enabled, the native local login mechanism was typically disabled.

This created immediate operational headaches for accounts that don't fit the standard employee model:

  • Service Accounts. Automated scripts, threat hunting tools, and other integrations need dedicated, non-human accounts to fetch or push IOCs (Indicators of Compromise). These are best managed as local accounts with API keys.
  • Shared Admin Accounts. While not ideal, some necessary administrative tasks or crisis response scenarios rely on specific, internal-only accounts.
  • Fallback Access. A security best practice is always to have an emergency, non-SSO admin account in case the identity provider itself fails.

Losing local access forced teams to use cumbersome workarounds, compromising either security compliance or operational efficiency.

The Hybrid Solution: Flexibility Without Compromise (The 'Now')

The introduction of hybrid local and SSO login changes the game entirely. With the release of MISP v2.5.11 and v2.5.12, organizations can now:

  1. Maintain SSO for all regular human users, ensuring compliance with corporate identity and access management policies.
  2. Keep Local Login Active for necessary service accounts, integration points, and emergency administrator accounts.

This small but mighty enhancement offers immediate practical benefits:

  • Simplified Automation. Teams can now cleanly create and manage API-enabled service accounts that are completely separate from the corporate SSO flow, dramatically simplifying automation pipelines.
  • Enhanced Resilience. A local, highly-secured fallback account can remain active, providing critical access during an identity provider outage.
  • Clearer Governance. The separation between human and non-human accounts becomes clearer, making audit and governance processes more straightforward.

This is a true quality-of-life improvement for security operations, saving countless hours of frustration and unnecessary complexity for the people using MISP every day. It's a testament to the MISP community's commitment to listening to user needs and continually making the platform more robust and easier to manage.