Configure Okta SSO

You can enable users to access Threat Command with Okta SSO. In addition, you can enable SP-initiated SSO and user provisioning with the SAML Just In Time (JIT) method.

User provisioning with JIT enables users to register new users to Threat Command directly from Okta, thus bypassing the need to set up each user in Threat Command. For more information, see Provisioning Users with JIT.

Enable access to Threat Command with Okta SSO

Add the Threat Command application to the customer Okta account.

This section describes the basic Okta configuration process. The process is described fully at https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-IntSights.html.

Before you begin, ensure that:

  • You can access the Okta account as an administrator.
  • You can access the Threat Command as an administrator.
  • (Optional) To enable SP-initiatedlogin, you can provide the IDP URL and Issuer ID for the SSO provider. You can get these values from the Okta Admin Dashboard.

To enable Okta access to the Threat Command:

  1. Log in to Okta as an administrator.
  2. Add the Threat Command application to Okta:
    1. From the Okta Applications menu, search for the Rapid7 application.
    2. On the Rapid7 application line, click Add. 
      temporary placeholder
    3. In the Base URl**** field of the General Settingsdialog, type the Threat Command URL:
      https://dashboard.ti.insight.rapid7.com -
      temporary placeholder
    4. Click Done.
  3. Download the Rapid7 certificate:
    1. From the Okta Rapid7 application page, select the Sign On tab.
    2. In the Settings**** section, click View Setup Instructions: temporary placeholder
    3. From the Configuration Steps dialog, download the certificate, and name it okta.cert: 
      (You can ignore the other instructions in this dialog.) temporary placeholder
  4. Log in to Threat Command as an administrator.
  5. From the Threat Command main menu, select Settings > Authentication.
  6. Enable SAML single sign-on :
    temporary placeholder
  7. For Provider name, select okta.
  8. Upload the okta.cert certificate.
  9. (Optional) To enable SP-initiated login to the Threat Command, perform the following:
    1. Select Enable SP-initiated login.
    2. Enter the IDP URL  and Issuer ID
      You can get this information from the SSO provider. 
      For more information, see Enable SP-Initiated User Login.
  10. (Optional) In the Force logout section, set the maximum hours for a user session to remain valid. After this time period, the user must sign in through their SSO to regain access to the Threat Command.
  11. (Optional) To enable JIT user provisioning, perform the following:
    1. Select Enable JIT user provisioning.
    2. (Optional) When JIT provisioning is enabled, you can force users to log in with SSO. To enforce this, click Enforce SSO.
      Users will not be able to use the Threat Command username and password, only SSO. Ensure that your setup supports this before enabling this option.
    3. To get the account ID needed to configure JIT in Okta, click Copy account ID. For more information about provisioning users, see Provisioning Users with JIT.
  12. Click Save Changes.

Enable JIT use provisioning in Okta SSO

To complete the JIT provisioning setup, you need to perform additional steps in the Okta application.

In the Okta SAML Attributes (Optional) section, the following additional attributes must be set:

Required claimValue
intsightsAccountIdPaste the account ID from the Threat Command SAML single sign-on dialog.
intsightsRoleSelect Adminor Analyst

For complete instructions, see Rapid7.html">https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Rapid7.html.