Configure OneLogin as an SSO source for the Command Platform

This article covers how to configure a Command Platform single sign-on (SSO) source for use with OneLogin.

Create the Command Platform app in OneLogin

  1. In OneLogin, navigate to Applications, then select Add App.
  2. Search for and select SAML Test Connector (Advanced).
  3. Enter a display name.
    • Rapid7 Command Platform is recommended.
  4. Click Save.

Now that the application has been created in OneLogin, you can configure it using information from the Command Platform.

Configure the application in OneLogin

  1. Open the Configuration tab in OneLogin.
  2. RelayState, Audience and Recipient values can all be found in the SSO Settings tab in the Command Platform under the section titled Copy the following data into your external IdP.
  3. In the ACS (Consumer) URL and ACS (Consumer) URL Validator fields, enter the same value as the Recipient field.
  4. Open the SSO tab.
  5. In the SAML Signature Algorithm field, select SHA-256.
  6. Click Save.

Configure parameters in OneLogin

  1. In the Parameters tab, click Add parameter.
  2. In Field name, enter Email.
  3. In Value, search for and select Email.
  4. Ensure the Include in SAML assertion check box is selected.
  5. Click Save, then click Add parameter again.
  6. In Field name, enter FirstName.
  7. In Value, search for and select First Name.
  8. Ensure the Include in SAML assertion check box is selected.
  9. Click Save, then click Add parameter for a final time.
  10. In Field name, enter LastName.
  11. In Value, search for and select Last Name.
  12. Ensure the Include in SAML assertion check box is selected.
  13. Click Save.
  14. Click Save again in the Parameters tab to finish.

Now that parameters have been added, you can start configuring the Command Platform with information from OneLogin.

Configure the Command Platform

In the SSO tab of OneLogin, you can find the X.509 certificate, Issuer URL, and SAML 2.0 Endpoint (HTTP) needed to configure the Command Platform.

Add the OneLogin certificate to the Command Platform

To download the OneLogin X.509 certificate:

  1. Click View Details under the certificate.
  2. Click Download.

After you download the certificate, navigate to the Command Platform.

To upload the certificate:

  1. From the left menu of the Rapid7 Command Platform Home page, click the Administration link.
  2. In the left menu of the Administration page, click Settings.
  3. Click the SSO Settings tab in the Authentication Settings section.
  4. Under the section titled Add your IdP Certificate, drag and drop your X.509 certificate or click the Browse button to search for it on your local machine.

The interface will display the upload date and your name to confirm that the upload was successful. Next, you will need to copy the Issuer URL and SAML 2.0 Endpoint (HTTP) fields into the Command Platform.

To do so:

  1. In the SSO tab on OneLogin, click on the copy icon beside the field labeled Issuer URL.
  2. In the Command Platform under the section titled Provide the required fields from your IdP, paste the Issuer URL into the corresponding field.
  3. Repeat this for the SAML 2.0 Endpoint (HTTP) field.

Before finishing in the Command Platform, you have the option to add a default access profile.

Set up a default access profile

A default access profile allows you to define the products and roles that are automatically assigned to new users provisioned in OneLogin. See our default access profile documentation for instructions.

Group Synchronization

Group Synchronization allows you to control user group assignment from within your IdP.

This capability is made possible by including a parameter in your SAML response labelled rbacGroups that contains the name(s) of the Command Platform User Groups for each user. Your users will be automatically assigned to the corresponding groups in the Command Platform and will inherit the product, role, and resource access associated with those groups.

With Group Sync enabled, IdP users will be removed from any Command Platform groups not included in their SAML assertion. IdP Users will retain any roles or permissions assigned directly to them, including those from a default access profile.

Configure User Groups

As Group Synchronization requires the use of Command Platform User Groups, it is important that you have configured groups before activating. Read our Command Platform User Groups documentation for details on how to do this.

Users local to the Rapid7 Command Platform

If you purchased or trialed Rapid7 products, you may have several local users that can sign in to the Command Platform through insight.rapid7.com. These users will retain the ability to sign in this way until they authenticate using SSO.

  • Local users will lose their ability to sign in through insight.rapid7.com after they authenticate using SSO for the first time, but will retain their existing direct access (such as with product and role assignment).
  • Users managed by your IdP cannot be converted back to local users.

Local users and IdP users can be differentiated within the User Management section of Command Platform Administration, as IdP users will have a circled user badge beside their name.

Difference between IdP and Local users

Rapid7 recommends keeping at least one local Platform Administrator user to support external IdP configuration or troubleshooting.

You can still configure password policies for your users.

  • If you choose to apply an MFA policy to the Command Platform in addition to an IdP MFA policy, users may be prompted to authenticate twice when accessing the Command Platform from the IdP.
  • If you choose to apply a password policy, note that local users will encounter an authentication error when their Command Platform password expires. If this occurs, reset the Command Platform password at the insight.rapid7.com credential prompt.