Configure the SAML Service Provider
Go to Administration > Identity Provider.
Identity Provider configuration
On your Identity provider you will need to configure the following fields:
- ACS URL: Redirection URL to the Cyberwatch application
- Entity ID: Name of the Service Provider
- IDP SSO target URL: SSO URL of the Identity Provider
- IDP SLO target URL (optional): Single Logout URL of the Identity Provider, by default, Cyberwatch will use the IDP SSO target URL
- Single Logout URL: URL your Identity provider should send the logout request to
- Name identifier format: Format of the name used for the identification
- IDP certificate: Certificate of the Identity Provider
Cyberwatch settings configuration
- Label: Name of the Identity Provider
- Request Single Logout: Asks the Identity provider to log the users out of their SAML session
- Synchronize names: Let Cyberwatch configure user names and first names with the information from your Identity provider
Attributes Configurations
First you need to tell Cyberwatch where to look for the attributes. For this you need to make sure that your IDP server sends a specific AttributeStatement along with the regular SAML response. Here is an example:
<saml:AttributeStatement>
<saml:Attribute Name="Roles">
<saml:AttributeValue xsi:type="xs:string">Security Group</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">Developers</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">Administrator</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Groups">
<saml:AttributeValue xsi:type="xs:string">Preproduction</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string">Production</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
- Roles attribute: Attribute name where Cyberwatch will look for the user roles (‘Roles’ in the above example)
- Administrator, System administrator, Security administrator and Auditor: Names of the AttributeValue corresponding to the Cyberwatch roles
- Groups attribute: Attribute name where Cyberwatch will look for the groups the user has access to (‘Groups’ in the example above)
- Access to all assets : Attribute read to determine if the user can access to all assets or not When the attribute is not configured, the configuration for the access to all assets is manual. Otherwise, access to all assets is granted if and only if the value of the attribute, or one of its values if it is multiple, matches one of the configured values. It is possible to accept more than one value by separating them with a semicolon. For example, with the above SAML response, we could set the attribute to
Roles
and the values toSecurity Group;Developers
. - First Name attribute (optional) and Last Name attribute (optional): Name of the attributes Cyberwatch will use to map user names
Debugging the SAML Service Provider configuration
To display the logs of the SAML Service Provider:
- Use the procedure to Consult Cyberwatch logs
Filter the logs to get only SAML related errors:
sudo cyberwatch logs web 2>&1 | grep ERROR | grep SAML
Example configurations
Cyberwatch also provides a step by step example to configure SAML using ADFS.