Configure Google as an SSO source for the Insight Platform

This article covers how to configure an Insight Platform single sign-on (SSO) source for use with Google.

Create the Insight Platform application in Google

If you haven’t already, you will need to create a custom SAML application within your Google Workspace Admin Console.

To create a custom SAML application in Google:

  1. Navigate to Apps > Web and mobile apps.
  2. Click Add App > Add custom SAML app.
  3. Name the application.
    • Rapid7 Insight Platform is recommended.
  4. Click Continue.

Add the Google certificate to the Insight Platform

To download the certificate from Google and upload it to the Insight Platform:

  1. In the Google Identity Provider details tab under Option 2, click the download icon to the right of the certificate.
  2. Navigate to the Insight Platform SSO Settings tab.
  3. From the Select your identity provider (IdP) dropdown, select Google.
  4. In the section titled Add your IdP certificate, drag and drop your Google certificate, or click the Browse button to search for it on your machine.

Configure the Insight Platform

Once the certificate is uploaded, the next step is to copy the SSO URL and Entity ID from Google.

To copy values for these fields:

  1. Under Option 2 in Google, click the copy icon beside SSO URL.
  2. Paste the SSO URL into the corresponding field on the Insight Platform under the section titled Provide the required fields from your IdP.
  3. Repeat this step for the Entity ID, pasting it into the corresponding field on the Insight Platform.
  4. When both values have been copied into the Insight Platform, click Continue on Google.

In the Service Provider section of your cloud application in Google, you now need to fill in the Entity ID, ACS URL, and Default Relay State provided by the Insight Platform:

  1. From the Insight Platform section titled Copy the following data into your external IdP, click Copy beside the field labeled Assertion Consumer Service (ACS) URL.
  2. Paste this into the corresponding field in Google.
  3. Repeat this for the Entity ID field.
  4. Finally, repeat this for the Default Relay State field.

Configure the Service Provider details in Google

You should now be on the Service provider details tab in Google.

To add the ACS URL, Entity ID, and Start URL from the Insight Platform:

  1. In the section on the Insight Platform titled Copy the following data to your external IdP, click Copy beside the ACS URL field.
  2. Paste this into the corresponding field in Google.
  3. Repeat this for the Entity ID field.
  4. Repeat this for the Start URL field.
  5. In Google, the Signed Response check box should be left unselected.
  6. Name ID format should be UNSPECIFIED.
  7. Name ID should be Basic Information > Primary Email.
  8. Click Continue.

Attribute mapping

You should now be on the Attribute mapping tab in Google. You need to add the values described in the Attribute Statements box on the Insight Platform.

To add these values:

  1. Click Add Mapping in Google.
  2. Under Google Directory attributes, select Primary Email from the dropdown. Under App attributes, enter Email, then click Add Mapping.
  3. Select First name from the dropdown. Under App attributes, enter FirstName, then click Add Mapping.
  4. Select Last name from the dropdown. Under App attributes, enter LastName.
  5. Click Finish.

This completes the configuration of the Insight Platform app in Google.

Set up a default access profile

A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in Google. See our default access profile documentation for instructions.

Group Synchronization

Group Synchronization allows you to control user group assignment from within your IdP.

This capability is made possible by including an attribute in your SAML response labelled rbacGroups that contains the name(s) of the Insight Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Insight Platform and will inherit the product, role, and resource access associated with those groups.

With Group Sync enabled, IdP users will be removed from any Insight Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.

Configure user groups

As Group Synchronization requires the use of Insight Platform User Groups, it is important that you have configured groups before activating. Read our Insight Platform User Groups documentation for details on how to do this.

Users local to the Insight Platform

If you purchased or trialed Rapid7 products, you may have several local users that can sign in to the Insight Platform through insight.rapid7.com. These users will retain the ability to sign in this way until they authenticate using SSO.

  • Local users will lose their ability to sign in through insight.rapid7.com after they authenticate using SSO for the first time, but will retain their existing direct access (such as with product and role assignment).
  • Users managed by your IdP cannot be converted back to local users.

Local users and IdP users can be differentiated within the User Management section of the Insight Platform, as IdP users will have a circled user badge beside their name.

Difference between IdP and Local users

Rapid7 recommends keeping at least one local Platform Administrator user to support external IdP configuration or troubleshooting.

You can still configure password policies for your users.

  • If you choose to apply an MFA policy to the Insight Platform in addition to an IdP MFA policy, users may be prompted to authenticate twice when accessing the Insight Platform from the IdP.
  • If you choose to apply a password policy, note that local users will encounter an authentication error when their Insight Platform password expires. If this occurs, reset the Insight Platform password at the insight.rapid7.com credential prompt.