Configure the SAML Service Provider

Go to Administration > Identity Provider.

Identity Provider configuration

On your Identity provider you will need to configure the following fields:

  • ACS URL: Redirection URL to the Cyberwatch application
  • Entity ID: Name of the Service Provider
  • IDP SSO target URL: SSO URL of the Identity Provider
  • IDP SLO target URL (optional): Single Logout URL of the Identity Provider, by default, Cyberwatch will use the IDP SSO target URL
  • Single Logout URL: URL your Identity provider should send the logout request to
  • Name identifier format: Format of the name used for the identification
  • IDP certificate: Certificate of the Identity Provider

Cyberwatch settings configuration

  • Label: Name of the Identity Provider
  • Request Single Logout: Asks the Identity provider to log the users out of their SAML session
  • Synchronize names: Let Cyberwatch configure user names and first names with the information from your Identity provider

Attributes Configurations

First you need to tell Cyberwatch where to look for the attributes. For this you need to make sure that your IDP server sends a specific AttributeStatement along with the regular SAML response. Here is an example:

    <saml:Attribute Name="Roles">
        <saml:AttributeValue xsi:type="xs:string">Security Group</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">Developers</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">Administrator</saml:AttributeValue>
    <saml:Attribute Name="Groups">
        <saml:AttributeValue xsi:type="xs:string">Preproduction</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">Production</saml:AttributeValue>
  • Roles attribute: Attribute name where Cyberwatch will look for the user roles (‘Roles’ in the above example)
  • Administrator, System administrator, Security administrator and Auditor: Names of the AttributeValue corresponding to the Cyberwatch roles
  • Groups attribute: Attribute name where Cyberwatch will look for the groups the user has access to (‘Groups’ in the example above)
  • Access to all assets : Attribute read to determine if the user can access to all assets or not. When the attribute is not configured, the configuration for the access to all assets is manual. Otherwise, access to all assets is granted if and only if the value of the attribute, or one of its values if it is multiple, matches one of the configured values. It is possible to accept more than one value by separating them with a semicolon. For example, with the above SAML response, we could set the attribute to Roles and the values to Security Group;Developers.
  • First Name attribute (optional) and Last Name attribute (optional): Name of the attributes Cyberwatch will use to map user names

Debugging the SAML Service Provider configuration

To display the logs of the SAML Service Provider:

  1. Use the procedure to Consult Cyberwatch logs
  2. Filter the logs to get only SAML related errors:

    sudo cyberwatch logs web 2>&1 | grep ERROR | grep SAML

Example configurations

Cyberwatch also provides a step by step example to configure SAML using ADFS.

Back to top