Configure OneLogin as an SSO source for the Command Platform
This article covers how to configure a Command Platform single sign-on (SSO) source for use with OneLogin.
Create the Command Platform app in OneLogin
- In OneLogin, navigate to Applications, then select Add App.
- Search for and select SAML Test Connector (Advanced).
- Enter a display name.
Rapid7 Command Platformis recommended.
- Click Save.
Now that the application has been created in OneLogin, you can configure it using information from the Command Platform.
Configure the application in OneLogin
- Open the Configuration tab in OneLogin.
- RelayState, Audience and Recipient values can all be found in the SSO Settings tab in the Command Platform under the section titled Copy the following data into your external IdP.
- In the ACS (Consumer) URL and ACS (Consumer) URL Validator fields, enter the same value as the Recipient field.
- Open the SSO tab.
- In the SAML Signature Algorithm field, select
SHA-256. - Click Save.
Configure parameters in OneLogin
- In the Parameters tab, click Add parameter.
- In Field name, enter
Email. - In Value, search for and select Email.
- Ensure the Include in SAML assertion check box is selected.
- Click Save, then click Add parameter again.
- In Field name, enter
FirstName. - In Value, search for and select First Name.
- Ensure the Include in SAML assertion check box is selected.
- Click Save, then click Add parameter for a final time.
- In Field name, enter
LastName. - In Value, search for and select Last Name.
- Ensure the Include in SAML assertion check box is selected.
- Click Save.
- Click Save again in the Parameters tab to finish.
Now that parameters have been added, you can start configuring the Command Platform with information from OneLogin.
Configure the Command Platform
In the SSO tab of OneLogin, you can find the X.509 certificate, Issuer URL, and SAML 2.0 Endpoint (HTTP) needed to configure the Command Platform.
Add the OneLogin certificate to the Command Platform
To download the OneLogin X.509 certificate:
- Click View Details under the certificate.
- Click Download.
After you download the certificate, navigate to the Command Platform.
To upload the certificate:
- From the left menu of the Rapid7 Command Platform Home page, click the Administration link.
- In the left menu of the Administration page, click Settings.
- Click the SSO Settings tab in the Authentication Settings section.
- Under the section titled Add your IdP Certificate, drag and drop your X.509 certificate or click the Browse button to search for it on your local machine.
The interface will display the upload date and your name to confirm that the upload was successful. Next, you will need to copy the Issuer URL and SAML 2.0 Endpoint (HTTP) fields into the Command Platform.
To do so:
- In the SSO tab on OneLogin, click on the copy icon beside the field labeled Issuer URL.
- In the Command Platform under the section titled Provide the required fields from your IdP, paste the Issuer URL into the corresponding field.
- Repeat this for the SAML 2.0 Endpoint (HTTP) field.
Before finishing in the Command Platform, you have the option to add a default access profile.
Set up a default access profile
A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in OneLogin. See our default access profile documentation for instructions.
Group Synchronization
Group Synchronization allows you to control user group assignment from within your IdP.
This capability is made possible by including a parameter in your SAML response labelled rbacGroups that contains the name(s) of the Command Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Command Platform and will inherit the product, role, and resource access associated with those groups.
With Group Sync enabled, IdP users will be removed from any Command Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.
Configure User Groups
As Group Synchronization requires the use of Command Platform User Groups, it is important that you have configured groups before activating. Read our Command Platform User Groups documentation for details on how to do this.