Configure SAML 2.0 as the Authentication Method
You can enable single sign-on (SSO) using an identity provider (IdP) that supports Security Assertion Markup Language (SAML 2.0). You can use identity providers such as Okta, Google, or Azure AD to set up SAML authentication for the users. SAML 2.0 uses the email ID of the users to authenticate.
To configure Okta IdP as the SAML 2.0 authentication method, see Set Up SAML SSO Integration using Okta.
To configure Azure AD as the SAML 2.0 authentication method, see Configure Microsoft Entra ID SSO in Orchestrate
Before you Start
Use the following source provider data to configure the identity provider application:
Assertion Consumer URL: An HTTP resource on a website that processes SAML protocol messages and returns a cookie representing the information extracted from the message. As part of the SAML process, Cyware auto-generates an Assertion Consumer Service (ACS) URL for your organization. You must copy the ACS URL using the Copy URL option and provide it to your IdP to generate metadata for your organization.
Entity ID: The unique name provided to the service provider. The Entity ID uniquely distinguishes your application website from others to identify the user or application corresponding to the assertion.
Certificate: The certificate and private key to pass authorization credentials to the IdP. This information will be used for creating an authentication request.
AuthnRequest: Enable the SP-SSO initiated flow to send AuthnRequest from the Service Provider to the Identity Provider.
Group Attribute : To onboard new users and authorize users upon every login using SAML IdP user group attributes, you can map SAML IdP group attribute values with the Cyware application's user group. To do this, you will require the group attribute name in the SAML assertion that contains the names or IDs of user groups on the IdP. For example, the group attribute can be groups. The default group attribute value expected by the Cyware application in the SAML assertion response is memberOf.
Once configured, download one of the following IdP metadata details:
Metadata XML file of the IdP
Certificate and SSO URL of the IdP
Steps
To configure the SAML 2.0 authentication method in Orchestrate, do the following:
Login to the Cyware Central platform and go to Admin Settings > Authentication > Methods.
Select Single Sign-on > SAML and click Edit.
To upload the IdP details, select one of the following in Identity Provider Attributes:
Metadata XML: Upload the metadata XML file of the IdP.
Certificate: Upload the certificate and enter the SSO URL of the IdP.
SAML Group Mapping: To configure a mapping between SAML IdP groups and the Cyware application's user groups, follow these steps:
Group Attribute: Enter the group attribute in the SAML assertion that contains the names or IDs of user groups on the IdP. For example, permission_groups. The user group values must be a comma-separated list.
If the group attribute value is not set, SAML-authenticated users will be assigned to the default user group. If the default user group value is None, a user entry is created in the application, but the user will not be able to access the application.
Note
The default group attribute value for SAML assertion is memberOf and the application expects the memberOf group attribute value in the SAML assertion response if not configured.
Default User Group: Enter the default user group you want to use to onboard and authorize SAML-authenticated users. For example, Analysts.
The default value is None.
The application provisions SAML-authenticated users based on the SAML group mapping in Cyware's user groups. However, if the SAML user group and Cyware application's user group are not configured, then the users will be created with the specified default group permissions. To create a mapping between SAML IdP user groups and Cyware application's user groups, see Create User Group.
On the top-right, click Save.
To enable the SAML authentication method, toggle on the Single Sign-on switch. Ensure that the configuration is completed successfully before enabling this authentication method. The platform will show the available SSO authentication methods, where you can enable the SAML authentication method.
Click Done.
After you activate and configure an IdP for the SAML 2.0 authentication method, users can select SAML on the sign-in page to sign in to the application without entering the credentials.
Set up SAML Authentication for Orchestrate Using Microsoft Entra ID
Notice
Microsoft Azure Active Directory (Azure AD) is renamed to Microsoft Entra ID.
In Orchestrate, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports Security Assertion Markup Language (SAML), such as Microsoft Entra ID.
Before you Start:
You must have administrative privileges to create an external application using Microsoft Entra ID.
Your user group in Orchestrate must have View and Update Configuration permission to access the Configuration module in Orchestrate.
Steps
To set up SAML authentication for Orchestrate using Microsoft Entra ID, you must:
Fetch Assertion URL and Entity ID from Orchestrate
The assertion consumer URL is an endpoint on Orchestrate, where the identity provider (Microsoft Entra ID) will redirect to with its authentication response. An entity ID is a globally unique name for the service provider or the identity provider. You need these values while setting up the SAML 2.0 app in Microsoft Entra ID.
To fetch the assertion consumer URL and entity ID from Orchestrate, do the following:
Sign in to the Orchestrate platform.
Navigate to Admin Panel > Authentication > Single Sign-on.
Copy the following values.
Assertion Consumer Service URL
Entity ID
Configure SAML Application for Orchestrate on Microsoft Entra ID
Set up Microsoft Entra ID for SSO by creating an external application for Orchestrate and configuring SSO for it.
To configure the SAML application for Orchestrate, follow these steps:
Sign in to the Microsoft Entra ID admin center.
From the menu, select Microsoft Entra ID.
Select Enterprise Applications and click New Application > Create your own application
In what's the name of your app field, enter Orchestrate and select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create to create the application.
Under Manage, select Single Sign-on.
From Select a single sign-on method, select SAML.
Click Edit on Basic SAML Configuration and enter the Entity ID in Identifier (Entity ID) and Assertion Consumer Service URL in Reply URL copied from the Orchestrate platform. In the Reply URL field, the Index is optional.
The Sign on URL, Relay State, and Logout URL fields are optional. Save your changes.
Click Edit on Attributes and Claims. For more information on claims, see Claims.
In Required Claim, select the Unique User Identifier (Name ID) and enter the value as
user.userprincipalnameEdit the existing additional claims and add the claims for email, first name, and last name.
Note that the application automatically provides Namespace values for the parameters added for the claim. The Namespace field is optional. You must remove the value of Namespace present in each additional claim by editing the values and keeping the Namespace values empty.
Enter the following values to add an email claim:
Name as email
Select Source as Attribute
Source Attribute as user.mail
Enter the following values to add a claim for the first name:
Name as first_name
Select Source as Attribute
Source Attribute as user.givenname
Enter the following values to add a claim for the last name:
Name as last_name
Select Source as Attribute
Source Attribute as user.surname
The following image illustrates the list of claims that must be added to Microsoft Entra ID.
Go to SAML Certificates and download the Certificate (Base64) or Certificate (Raw), Federation Metadata XML, and copy the App Federation Metadata URL to use while configuring the SSO in the Orchestrate platform.
Assign Users to Orchestrate Application in Microsoft Entra ID
Ensure that you have created users in Microsoft Entra ID to set up SAML authentication. For more information on creating users in Microsoft Entra ID, see Add or Delete Users. You must assign the created users or user groups to the Orchestrate application present in Microsoft Entra ID.
To assign users to the Orchestrate application, do the following:
Sign in to the Microsoft Entra ID as an administrator.
Go to Enterprise Applications > Orchestrate.
Under Manage, select Users and Groups.
Click Add User/Group and select and add your users.
Create Users in Orchestrate
The users you added in Microsoft Entra ID must be added to Orchestrate. See Create Userto add users in Orchestrate.
Configure Microsoft Entra ID SSO in Orchestrate
You must configure a single sign-on for Microsoft Entra ID in Orchestrate to allow users to seamlessly and securely sign in to Orchestrate from Microsoft Entra ID.
To configure Microsoft Entra ID SSO in Orchestrate, do the following:
Sign in to the Orchestrate application.
Navigate to Admin Panel > Authentication.
Select Single Sign-on and click in the SAML tab Edit.
Go to IDP (Identify Provider) section and upload the Federation Metadata XML file downloaded from Microsoft Entra ID in Metadata XML. Ensure that the .xml file is less than 40 MB.
In the SSO URL field, enter the App Federation Metadata URL copied from Microsoft Entra ID, and in the Certificate field, upload the Certificate (Base64) or Certificate (Raw) file downloaded from Microsoft Entra ID.
Encrypt and Sign Certificate fields are optional. Enable Authn Request to send authentication requests from Orchestrate to Microsoft Entra ID.
Enable the SAML toggle and click Save.