Configure OneLogin as an SSO source for the Insight Platform

This article covers how to configure an Insight Platform single sign-on (SSO) source for use with OneLogin.

Create the Insight Platform app in OneLogin

  1. In OneLogin, navigate to Applications, then select Add App.
  2. Search for and select SAML Test Connector (Advanced).
  3. Enter a display name.
    • Rapid7 Insight Platform is recommended.
  4. Click Save.

Now that the application has been created in OneLogin, you can configure it using information from the Insight Platform.

Configure the application in OneLogin

  1. Open the Configuration tab in OneLogin.
  2. RelayState, Audience and Recipient values can all be found in the SSO Settings tab in the Insight Platform under the section titled Copy the following data into your external IdP.
  3. In the ACS (Consumer) URL and ACS (Consumer) URL Validator fields, enter the same value as the Recipient field.
  4. Open the SSO tab.
  5. In the SAML Signature Algorithm field, select SHA-256.
  6. Click Save.

Configure parameters in OneLogin

  1. In the Parameters tab, click Add parameter.
  2. In Field name, enter Email.
  3. In Value, search for and select Email.
  4. Ensure the Include in SAML assertion check box is selected.
  5. Click Save, then click Add parameter again.
  6. In Field name, enter FirstName.
  7. In Value, search for and select First Name.
  8. Ensure the Include in SAML assertion check box is selected.
  9. Click Save, then click Add parameter for a final time.
  10. In Field name, enter LastName.
  11. In Value, search for and select Last Name.
  12. Ensure the Include in SAML assertion check box is selected.
  13. Click Save.
  14. Click Save again in the Parameters tab to finish.

Now that parameters have been added, you can start configuring the Insight Platform with information from OneLogin.

Configure the Insight Platform

In the SSO tab of OneLogin, you can find the X.509 certificate, Issuer URL, and SAML 2.0 Endpoint (HTTP) needed to configure the Insight Platform.

Add the OneLogin certificate to the Insight Platform

To download the OneLogin X.509 certificate:

  1. Click View Details under the certificate.
  2. Click Download.

After you download the certificate, navigate to the Insight Platform.

To upload the certificate:

  1. Click the SSO Settings tab in Company Settings.
  2. Under the section titled Add your IdP Certificate, drag and drop your X.509 certificate or click the Browse button to search for it on your local machine.

The interface will display the upload date and your name to confirm that the upload was successful. Next, you will need to copy the Issuer URL and SAML 2.0 Endpoint (HTTP) fields into the Insight Platform.

To do so:

  1. In the SSO tab on OneLogin, click on the copy icon beside the field labeled Issuer URL.
  2. In the Insight Platform under the section titled Provide the required fields from your IdP, paste the Issuer URL into the corresponding field.
  3. Repeat this for the SAML 2.0 Endpoint (HTTP) field.

Before finishing in the Insight Platform, you have the option to add a default access profile.

Set up a default access profile

A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in OneLogin. See our default access profile documentation for instructions.

Group Synchronization

Group Synchronization allows you to control user group assignment from within your IdP.

This capability is made possible by including a parameter in your SAML response labelled rbacGroups that contains the name(s) of the Insight Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Insight Platform and will inherit the product, role, and resource access associated with those groups.

With Group Sync enabled, IdP users will be removed from any Insight Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.

Configure User Groups

As Group Synchronization requires the use of Insight Platform User Groups, it is important that you have configured groups before activating. Read our Insight Platform User Groups documentation for details on how to do this.

Users local to the Insight Platform

If you purchased or trialed Rapid7 products, you may have several local users that can sign in to the Insight Platform through insight.rapid7.com. These users will retain the ability to sign in this way until they authenticate using SSO.

  • Local users will lose their ability to sign in through insight.rapid7.com after they authenticate using SSO for the first time, but will retain their existing direct access (such as with product and role assignment).
  • Users managed by your IdP cannot be converted back to local users.

Local users and IdP users can be differentiated within the User Management section of the Insight Platform, as IdP users will have a circled user badge beside their name.

Difference between IdP and Local users

Rapid7 recommends keeping at least one local Platform Administrator user to support external IdP configuration or troubleshooting.

You can still configure password policies for your users.

  • If you choose to apply an MFA policy to the Insight Platform in addition to an IdP MFA policy, users may be prompted to authenticate twice when accessing the Insight Platform from the IdP.
  • If you choose to apply a password policy, note that local users will encounter an authentication error when their Insight Platform password expires. If this occurs, reset the Insight Platform password at the insight.rapid7.com credential prompt.