Skip to main content

Cyware Situational Awareness Platform

Manage Member Portal Authentication

Collaborate Admins can directly configure the preferred authentication method for the users of the Member Portal.

Configure Username and Password as the Authentication Method

By default, the application provides the Username/Password authentication method for the users to sign in using their email ID and password. This authentication method requires users to provide a valid email ID and password combination as configured in User Management to sign in to the application.

To configure the Username/Password authentication method, do the following:

  1. Go to Administration > Integrations > Authentication Method > Member Portal > Username/Password and click Edit.

  2. Enter the following details:

    • Multi-Factor Authentication: Enable this option to authenticate the users using the username and password and a One-Time-Password (OTP). Multi-factor authentication adds an extra layer of protection from accessing the applications. Select one or more options from the following available multi-factor authentication types:

      • Email: Requires an OTP sent to the user's email ID.

      • SMS: Requires an SMS service to be configured. See Configure SMS Services

      • TOTP: Requires an OTP from a TOTP authenticator app such as Okta, Google Authenticator, Authy, or Microsoft Authenticator.

    • Password Link Expiry Duration: Configure a duration in hours after which the password reset link sent in the email expires automatically. Members must request the administrators to resend the password or the application invite link. The default value for the password expiry is 72 hours. You can configure the expiry time with a minimum of 1 hour and a maximum of 168 hours.

    • OTP Expiration Time: Enter the OTP expiration time in minutes. Once expired, users must generate a new OTP. For example, 5 Minutes.

    • Password Policy: Click View Password Policy on the right and enter the following details to configure your password policy preferences:

      • Minimum Password Length: Enter the minimum number of characters that a password must include. The minimum password length should be at least 8 characters.

      • Maximum Password Length: Enter the maximum number of characters that a password can include.

      • Password Conditions: Select at least three of the following character types that must be included in the password:

        • Lowercase

        • Uppercase

        • Numbers

        • Special Characters

      • Number of Days to Reset Password After: Enter the days from the last password change after which users must reset their password. CTIX requests users to change the password after the specified interval expires. This value must be at least two days.

      • Number of Days Before to Remind Reset Password: Enter the days before the password expiration day to notify users about the password expiry. Users receive an email notification to reset their passwords. This value must be at least 1 day.

      • Password Reuse Interval: Enter the count after which users can reuse a previously used password.

        Click Add Password Policy to save the configurations.

  3. Click Save.

Configure Google Sign-In as the Authentication Method

You can use Google sign-in to authenticate into the application. Google sign-in mode enables you to use your Google account credentials to sign in to the application.

Before you Start 

To sign in using the Google sign-in authentication method, ensure that the email ID of the Google account and the email ID of the user account entered in User Management are exactly the same. For more information about adding users, see Onboard Privileged Users.

Steps 

To configure the Google Sign-In authentication method, follow these steps:

  1. Go to Administration > Integrations > Authentication Methods > Username/Password and click Edit.

  2. Enable Google Sign-In and enter the Client ID and Client Secret of your Google cloud platform.

  3. Click Save.

After you configure and activate the Google Sign-in authentication method, users will see an option to log in using Google Sign-in on the login page.

Configure LDAP as the Authentication Method

You can use the Lightweight Directory Access Protocol (LDAP) directory services to authenticate users to access Cyware applications. This authentication method requires users to provide a valid username and password combination as configured in the LDAP directory to sign in to the application.

Note

Users with active accounts in User Management can sign in using their LDAP credentials. For more information, see Onboard Privileged Users.

Before you Start 

Ensure that the application servers have active network connectivity with the LDAP server.

Steps 

To configure the LDAP authentication method, do the following:

  1. Go to Administration > Integrations > Authentication Methods.

  2. Select LDAP and click Edit. Enter the following details:

    • Domain Name: Enter the domain name of the LDAP server database. For example, lab.cyware.com.

    • Server IP/Domain: Enter the IP address or URL of the LDAP server database. For example, 1.1.1.1.

    • Port: Enter the port number of the LDAP server to connect to the database. For example, 389.

    • Domain Controller: Enter the details for the LDAP domain name. These details are provided by the LDAP admin of your organization. For example, com.

    • SSL encrypted: Enable this option to encrypt the application connection with the LDAP server.

    • Multi-Factor Authentication: Enable this option to authenticate the users using the username and password and a one-time-password (OTP). Multi-factor authentication adds an extra layer of protection from accessing the applications. Select one or more options from the following available multi-factor authentication types:

      • Email: Requires an OTP that is sent to the email ID of the user to authenticate.

      • SMS: Requires an SMS service to be configured. See Configure SMS Services

  3. Click Save.

  4. After completing the configuration, turn on the Activate Authentication toggle to activate LDAP authentication method. You can also use Test Connectivity to test the LDAP connectivity.

Configure SAML 2.0 as the Authentication Method

You can enable single sign-on (SSO) using an identity provider (IdP) that supports Security Assertion Markup Language (SAML 2.0). You can use identity providers such as Okta, Google, or Azure AD to set up SAML authentication for the users. SAML 2.0 uses the email ID of the users to authenticate.

After configuring SAML 2.0 as the authentication method in Collaborate, you can set up the SAML SSO using an IdP of your choice. To configure Okta IdP as the SAML 2.0 authentication method, see Set Up SAML SSO Integration using Okta.

Before you Start 

Use the following source provider data to configure the identity provider application:

  • Assertion Consumer URL: An HTTP resource on a website that processes SAML protocol messages and returns a cookie representing the information extracted from the message. As part of the SAML process, Cyware auto-generates an Assertion Consumer Service (ACS) URL for your organization. You must copy the ACS URL using the Copy URL option and provide it to your IdP to generate metadata for your organization.

  • Entity ID: The unique name provided to the service provider. The Entity ID uniquely distinguishes your application website from others to identify the user or application corresponding to the assertion.

  • Certificate: The certificate and private key to pass authorization credentials to the IdP. This information will be used for creating an authentication request.

  • AuthnRequest: Enable the SP-SSO initiated flow to send AuthnRequest from the Service Provider to the Identity Provider.

  • Group Attribute: You can onboard new and existing analysts and authorize them on every login using SAML IdP user groups. You can map SAML IdP user groups with Collaborate's user roles. For this mapping, you will require the group attribute name in the SAML assertion response that contains the names or IDs of user roles in the IdP. For example, the group attribute can be permission_groups in the IdP.

    The default group attribute value expected by Collaborate in the SAML assertion response is memberOf.

Once configured, download one of the following IdP metadata details:

  • Metadata XML file of the IdP

  • Certificate and SSO URL of the IdP

Steps 

To configure the SAML 2.0 authentication method in Collaborate, follow these steps:

  1. Go to Administration > Integrations > Authentication Methods.

  2. If you want to configure SAML for the Analyst Portal, select Analyst Portal. Similarly, you can configure SAML for the Member Portal.

  3. Select SAML 2.0 and click Edit. Use the following information to configure SAML 2.0 authentication:

    • To upload the IdP details, select one of the following in Identity Provider attributes:

      • Metadata XML: Upload the metadata XML file of the IdP.

      • SSO URL: Enter the SSO URL of the IdP.

      • SAML Group Mapping for Users: If you are configuring SAML for the Analyst Portal, you can configure a mapping between SAML IdP groups and the Collaborate's user role. The user role must match the IdP's group name to grant analysts the appropriate access while signing in to the Analyst Portal.

        Use the following information while mapping SAML groups:

        • Group Attribute: Enter the group attribute in the SAML assertion that contains the names or IDs of user groups on the IdP. For example, permission_groups. The user group values must be a comma-separated list.

          If the group attribute value is not set, SAML-authenticated users will be assigned to the default role. If the default user role value is None, a user entry is created in the application, but the user will not be able to access the application.

          Note

          The default group attribute value for SAML assertion is memberOf and the application expects the memberOf group attribute value in the SAML assertion response if not configured.

        • Default User Role: Select the default user role you want to use while onboarding and authorizing SAML-authenticated users.

          The default user role is None.

          The application provisions SAML-authenticated users based on the SAML group mapping in Collaborate's user roles. However, if the SAML user group and Collaborate's user role are not mapped, then the users will be created with the specified default role permissions. To create a mapping between SAML IdP user groups and Collaborate's user roles, see Role-Based Access Control.

      • Certificate: Upload the certificate of the IdP.

      • Encrypt: Enable this to encrypt the SAML 2.0 authentication process.

    • To upload the SP details in Service Provider attributes, use the following information:

      • Copy the Assertion Consumer URL and Entity ID using the Copy URL option and provide it to your SP to generate metadata for your organization. To know more about this, see 

      • Certificate: Upload the certificate of the SP.

    • AuthnRequest: Enable this to initiate SP-SSO flow.

  4. Click Save.

  5. After completing the configuration, turn on the Activate Authentication toggle to activate this authentication method.

After you activate and configure an IdP for the SAML 2.0 authentication method, users can select SAML on the sign-in page to sign in to the application without entering the credentials.

Configure SCIM 2.0 for Member Portal

Notice

This feature is available in Collaborate (CSAP) from v3.7.7.0 onwards

SCIM (System for Cross-Domain Identity Management) is a standard protocol that is used to automate user provisioning across systems. In Collaborate, you can use SCIM to automate the process of creating, updating, and deactivating users, making it easier to maintain up-to-date user information in the Member Portal.

Steps 

To generate SCIM 2.0 credentials, follow these steps:

  1. Go to Administration > Integrations > Authentication Method > Member Portal.

  2. Select SAML 2.0, and click Edit.

  3. In SCIM 2.0, turn on the toggle to activate the configuration, and click Save to view the credentials.

    You can add these credentials in your identity provider (IdP) such as Okta, to enable SCIM for user provisioning. For more information, see Configure SCIM 2.0 in Okta.