Configure SAML Provider
This article describes how to configure a SAML provider.
If you are using Okta – look here.
If you are using Google Workspace – read here first.
If you are using Azure – read here first.
If you are using AD FS , read here.
The platform supports Google Workspace, Okta, Azure, ADFS and configuring your own custom SAML provider. This can be an existing solution like Centrify, or a company specific solution.
Chronicle SOAR supports a wide variety of authentication options provided by the SAML, including 2-factor authentication (2FA).
The application uses the default sts of .NET core. Chronicle SOAR uses their library for the token authentication against the identity provider; only using the nameID property from the tokens.
The following steps should be taken to configure the provider:
- Configure SAML Provider
- Configure Users and invite them to Chronicle SOAR
For the purposes of this article, we will use Google Workspace as an example of a custom provider.
Configure SAML Provider
To configure the SAML Provider:
- Navigate to Settings > Advanced > External Authentication.
- Select Google Workspace.
- Fill out the following fields.
Field Description Provider name Add in the name of the provider. Note that the system will automatically have Google Workspace and Okta populated. IDP Metadata The IDP Metadata is SAML metadata and is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). Note that if you use a certificate the following value WantAuthnRequestsSigned=” “ in xml should be true. If you are not using a certificate then set it to false. Identifier For some providers this can be the value of IDP entityID from the IDP metadata file Audience URI (SP Entity ID Chronicle SOAR server name. Can be either an IP URL, Host Name URL or Local Host URL. Note that users have to connect to the platform with the same URL pattern configured in this field in order to log in with SAML. URI needs to contain the IP of the Chronicle SOAR Server followed by /saml2 Provider public certificate The certificate is optional. It can be uploaded as necessary for custom providers.
In order to replace the uploaded certificate with a new one, click the trashcan button to clear the current one and press the arrow button to upload the new one. Certificates won't be swapped until you press the 'Save' button.Unsolicited Response (also known as IdP-Initiated response) This enables SAML users to enter the Chronicle SOAR platform directly from their SAML identity provider application. For example, if your company is using Okta, you can configure it so that users can enter Chronicle SOAR through the Okta application. The option to use Unsolicited Response is available only when there is one SAML provider configured in the SOAR. Auto-redirect Automatically logged into the platform. Enable Just-in Time User Provisioning When you log in for the first time with a user using SAML, the user is created automatically in Chronicle SOAR. For more information, see What is Just-in-Time User Provisioning? - Click Save in the top right corner.
- Restart the Chronicle SOAR server for the configuration to take place.
- Click Test in order to make sure the connection is working as expected.
Configure Users
The next stage is to add users that can access the platform through the new SAML provider that you just created.
To add and configure users:
- Navigate to Settings > Organization > User Management.
- Click the icon on the top right.
- Fill out the fields, making sure to choose Google Workspace Provider in the User Type field.
- Click Add when done. The user will appear in the list of Users with the Google Workspace icon to the left.
Change SAML Providers
To change SAML providers in the Chronicle SOAR platform (Admin only):
- Change SAML Provider in the Settings > Advanced > External Authentication.
- Navigate to Settings > Organization > User Management.
- Double-click on a user in the list that you want to change the SAML Provider for.
- Choose the new SAML Provider from the User Type drop-down field.