Configure SAML 2.0 as the Authentication Method
You can enable single sign-on (SSO) using an identity provider (IdP) that supports Security Assertion Markup Language (SAML 2.0). You can use identity providers such as Okta, Google, or Azure AD to set up SAML authentication for the users. SAML 2.0 uses the email ID of the users to authenticate.
To configure Okta IdP as the SAML 2.0 authentication method, see Set Up SAML SSO Integration using Okta.
To configure Azure AD as the SAML 2.0 authentication method, see Set up SAML Authentication for Orchestrate Using Microsoft Entra ID.
Before you Start
Use the following source provider data to configure the identity provider application:
Assertion Consumer URL: An HTTP resource on a website that processes SAML protocol messages and returns a cookie representing the information extracted from the message. As part of the SAML process, Cyware auto-generates an Assertion Consumer Service (ACS) URL for your organization. You must copy the ACS URL using the Copy URL option and provide it to your IdP to generate metadata for your organization.
Entity ID: The unique name provided to the service provider. The Entity ID uniquely distinguishes your application website from others to identify the user or application corresponding to the assertion.
Certificate: The certificate and private key to pass authorization credentials to the IdP. This information will be used for creating an authentication request.
AuthnRequest: Enable the SP-SSO initiated flow to send AuthnRequest from the Service Provider to the Identity Provider.
Group Attribute : To onboard new users and authorize users upon every login using SAML IdP user group attributes, you can map SAML IdP group attribute values with the Cyware application's user group. To do this, you will require the group attribute name in the SAML assertion that contains the names or IDs of user groups on the IdP. For example, the group attribute can be groups. The default group attribute value expected by the Cyware application in the SAML assertion response is memberOf.
Once configured, download one of the following IdP metadata details:
Metadata XML file of the IdP
Certificate and SSO URL of the IdP
Steps
To configure the SAML 2.0 authentication method in Orchestrate, do the following:
Go to Admin Panel > Authentication.
Select SAML 2.0 and click Edit.
On the top-right, enable Activate Authentication.
To upload the IdP details, select one of the following in Identity Provider Attributes:
Metadata XML: Upload the metadata XML file of the IdP.
Certificate: Upload the certificate and enter the SSO URL of the IdP.
Activate Just-in-Time Provisioning to automatically create a user account in Orchestrate when the user logs in for the first time with SSO. If Just-in-Time Provisioning is not activated, users won't be able to log in to the application until you create their user accounts.
Notice
This configuration is available in Orchestrate 3.5.7.2 onwards.
SAML Group Mapping: To configure a mapping between SAML IdP groups and the Cyware application's user groups, follow these steps:
Group Attribute: Enter the group attribute in the SAML assertion that contains the names or IDs of user groups on the IdP. For example, permission_groups. The user group values must be a comma-separated list.
If the group attribute value is not set, SAML-authenticated users will be assigned to the default user group. If the default user group value is None, a user entry is created in the application, but the user will not be able to access the application.
Note
The default group attribute value for SAML assertion is memberOf and the application expects the memberOf group attribute value in the SAML assertion response if not configured.
Default User Group: Enter the default user group you want to use to onboard and authorize SAML-authenticated users. For example, Analysts.
The default value is None.
The application provisions SAML-authenticated users based on the SAML group mapping in Cyware's user groups. However, if the SAML user group and Cyware application's user group are not configured, then the users will be created with the specified default group permissions. To create a mapping between SAML IdP user groups and Cyware application's user groups, see Create User Group.
On the top-right, click Save.
Note
After configuring the SAML 2.0 authentication method, verify the Metadata XML file, certificate, and other details to ensure users can sign in without any connectivity issues.
After you activate and configure an IdP for the SAML 2.0 authentication method, users can select SAML on the sign-in page to sign in to the application without entering the credentials.