Configure SAML 2.0 as the Authentication Method
You can enable single sign-on (SSO) using an identity provider (IdP) that supports Security Assertion Markup Language (SAML 2.0). You can use identity providers such as Okta, Google, or Azure AD to set up SAML authentication for the users. SAML 2.0 uses the email ID of the users to authenticate.
CTIX simplifies user onboarding and eliminates the need for administrators to manually create user accounts using JIT. With Single Sign-On (SSO) through SAML, administrators can automatically create and authenticate users into CTIX.
To use a specific application for SAML authentication, refer to the following articles:
To configure Auth0 as the SAML 2.0 authentication method, see Set up SAML SSO using Auth0.
To configure Okta IdP as the SAML 2.0 authentication method, see Set Up SAML SSO Integration using Okta.
To configure Azure AD as the SAML 2.0 authentication method, see Set up SAML Authentication for Intel Exchange Using Microsoft Entra ID.
To configure FusionAuth as the SAML 2.0 authentication method, see Set up SAML Authentication Using FusionAuth.
Feature availability matrix
CTIX Enterprise | CTIX Lite | CTIX Spoke |
|---|---|---|
Yes | No | No |
Before you Start
Use the following source provider data to configure the identity provider application:
Assertion Consumer URL: An HTTP resource on a website that processes SAML protocol messages and returns a cookie representing the information extracted from the message. As part of the SAML process, Cyware auto-generates an Assertion Consumer Service (ACS) URL for your organization. You must copy the ACS URL using the Copy URL option and provide it to your IdP to generate metadata for your organization.
Entity ID: The unique name provided to the service provider. The Entity ID uniquely distinguishes your application website from others to identify the user or application corresponding to the assertion.
Certificate: The certificate and private key to pass authorization credentials to the IdP. This information will be used for creating an authentication request.
AuthnRequest: Enable the SP-SSO initiated flow to send AuthnRequest from the Service Provider to the Identity Provider.
Group Attribute : To onboard new users and authorize users upon every login using SAML IdP user group attributes, you can map SAML IdP group attribute values with the Cyware application's user group. To do this, you will require the group attribute name in the SAML assertion that contains the names or IDs of user groups on the IdP. For example, the group attribute can be groups. The default group attribute value expected by the Cyware application in the SAML assertion response is memberOf.
Once configured, download one of the following IdP metadata details:
Metadata XML file of the IdP
Certificate and SSO URL of the IdP
Steps
To configure the SAML 2.0 authentication method in CTIX, do the following:
Go to Administration > Configuration > Authentication.
Select SAML 2.0 and click Edit at the top-right corner.
On the top-right, enable Activate Authentication.
To upload the IdP details, select one of the following in Identity Provider Attributes:
Metadata XML: Upload the metadata XML file of the IdP.
Certificate: Upload the certificate and enter the SSO URL of the IdP.
SAML Group Mapping: To configure a mapping between SAML IdP groups and the Cyware application's user groups, follow these steps:
Group Attribute: Enter the group attribute in the SAML assertion that contains the names or IDs of user groups on the IdP. For example, permission_groups. The user group values must be a comma-separated list.
If the group attribute value is not set, SAML-authenticated users will be assigned to the default user group. If the default user group value is None, a user entry is created in the application, but the user will not be able to access the application.
Note
The default group attribute value for SAML assertion is memberOf and the application expects the memberOf group attribute value in the SAML assertion response if not configured.
Default User Group: Enter the default user group you want to use to onboard and authorize SAML-authenticated users. For example, Analysts.
The default value is Read-Only.
The application provisions SAML-authenticated users based on the SAML group mapping in Cyware's user groups. However, if the SAML user group and Cyware application's user group are not configured, then the users will be created with the specified default group permissions. To create a mapping between SAML IdP user groups and Cyware application's user groups, see Create User Group.
On the top-right, click Save.
After you activate and configure an IdP for the SAML 2.0 authentication method, users can select SAML on the sign-in page to sign in to the application without entering the credentials.