Configure Google as an SSO source for the Command Platform
This article covers how to configure a Command Platform single sign-on (SSO) source for use with Google.
Create the Command Platform application in Google
If you haven’t already, you will need to create a custom SAML application within your Google Workspace Admin Console.
To create a custom SAML application in Google:
- Navigate to Apps > Web and mobile apps.
- Click Add App > Add custom SAML app.
- Name the application.
Rapid7 Command Platform
is recommended.
- Click Continue.
Add the Google certificate to the Command Platform
To download the certificate from Google and upload it to the Command Platform:
- In the Google Identity Provider details tab under Option 2, click the download icon to the right of the certificate.
- From the left menu of the Rapid7 Command Platform Home page, click the Administration link.
- In the left menu of the Administration page, click Settings.
- Click the SSO Settings tab in the Authentication Settings section.
- From the Select your identity provider (IdP) dropdown, select Google.
- In the section titled Add your IdP certificate, drag and drop your Google certificate, or click the Browse button to search for it on your machine.
Configure the Command Platform
Once the certificate is uploaded, the next step is to copy the SSO URL and Entity ID from Google.
To copy values for these fields:
- Under Option 2 in Google, click the copy icon beside SSO URL.
- Paste the SSO URL into the corresponding field on the Command Platform under the section titled Provide the required fields from your IdP.
- Repeat this step for the Entity ID, pasting it into the corresponding field on the Command Platform.
- When both values have been copied into the Command Platform, click Continue on Google.
In the Service Provider section of your cloud application in Google, you now need to fill in the Entity ID, ACS URL, and Default Relay State provided by the Command Platform:
- From the Command Platform section titled Copy the following data into your external IdP, click Copy beside the field labeled Assertion Consumer Service (ACS) URL.
- Paste this into the corresponding field in Google.
- Repeat this for the Entity ID field.
- Finally, repeat this for the Default Relay State field.
Configure the Service Provider details in Google
You should now be on the Service provider details tab in Google.
To add the ACS URL, Entity ID, and Start URL from the Command Platform:
- In the section on the Command Platform titled Copy the following data to your external IdP, click Copy beside the ACS URL field.
- Paste this into the corresponding field in Google.
- Repeat this for the Entity ID field.
- Repeat this for the Start URL field.
- In Google, the Signed Response check box should be left unselected.
- Name ID format should be UNSPECIFIED.
- Name ID should be Basic Information > Primary Email.
- Click Continue.
Attribute mapping
You should now be on the Attribute mapping tab in Google. You need to add the values described in the Attribute Statements box on the Command Platform.
To add these values:
- Click Add Mapping in Google.
- Under Google Directory attributes, select Primary Email from the dropdown. Under App attributes, enter
Email
, then click Add Mapping. - Select First name from the dropdown. Under App attributes, enter
FirstName
, then click Add Mapping. - Select Last name from the dropdown. Under App attributes, enter
LastName
. - Click Finish.
This completes the configuration of the Command Platform app in Google.
Set up a default access profile
A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in Google. See our default access profile documentation for instructions.
Group Synchronization
Group Synchronization allows you to control user group assignment from within your IdP.
This capability is made possible by including an attribute in your SAML response labelled rbacGroups
that contains the name(s) of the Command Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Command Platform and will inherit the product, role, and resource access associated with those groups.
With Group Sync enabled, IdP users will be removed from any Command Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.
Configure user groups
As Group Synchronization requires the use of Command Platform User Groups, it is important that you have configured groups before activating. Read our Command Platform User Groups documentation for details on how to do this.
Users local to the Rapid7 Command Platform
If you purchased or trialed Rapid7 products, you may have several local users that can sign in to the Command Platform through insight.rapid7.com. These users will retain the ability to sign in this way until they authenticate using SSO.
- Local users will lose their ability to sign in through insight.rapid7.com after they authenticate using SSO for the first time, but will retain their existing direct access (such as with product and role assignment).
- Users managed by your IdP cannot be converted back to local users.
Local users and IdP users can be differentiated within the User Management section of Command Platform Administration, as IdP users will have a circled user badge beside their name.
Rapid7 recommends keeping at least one local Platform Administrator user to support external IdP configuration or troubleshooting.
You can still configure password policies for your users.
- If you choose to apply an MFA policy to the Command Platform in addition to an IdP MFA policy, users may be prompted to authenticate twice when accessing the Command Platform from the IdP.
- If you choose to apply a password policy, note that local users will encounter an authentication error when their Command Platform password expires. If this occurs, reset the Command Platform password at the insight.rapid7.com credential prompt.