SAML - Just In-Time Provisioning

The instructions on this page detail the steps required to configure Just In-Time User Provisioning for SAML. For general information check out the Just In-Time User Provisioning (Authentication Server Support) overview documentation.

If you are looking for instructions on Configuring Authentication Server Support for SAML that does not include JIT, refer to the documentation here SAML.

Supported Options

These steps use Okta configurations as an example. For specific details on Okta we recommend you refer to their documentation. For other providers, we recommend you refer to the provider's configuration documentation.

As always, if you have questions or issues or want details on implementation using something other than Okta we're here to help, reach out to us through the Customer Support Portal.

Configuration Considerations

Entitlements

You must be prepared to complete the setup of your entitlements. Attempting to create group mappings without completing this setup in InsightCloudSec will create groups with users that have NO associated permissions.

Take a look at our documentation around Basic User Groups, Roles, & Entitlements or the User Entitlements Matrix if you still need to prepare these configurations.

Scheduled Updates

In InsightCloudSec, scheduled updates run once an hour. The authentication server gets lists of members of the mapped user groups, and InsightCloudSec’s users and group associations are updated to match.

Credentials

A credential to the authentication server is required to perform the scheduled updates.

For Okta, this is implemented using a read-only API key.

Existing SAML Users

Users from SAML authentication servers should have a unique username. In cases where a username is already in use by a local InsightCloudSec user an administrator may need to update the user accounts in InsightCloudSec.

Product name to be replaced

You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn't affect the configuration or the product's functionality, and we will notify you as we replace these component names.

Configuring JIT for SAML

InsightCloudSec Initial Setup (Authentication Server) for SAML

Refer to the steps below to complete the initial required configuration for SAML using Okta within InsightCloudSec.

  1. Navigate to Administration > User Management and select Authentication Server.
  2. Click on Add Server to create a new authentication server.
    • Select a Server Nickname (name)
    • Select SAML
    • Select the Global Scope checkbox if you want to use this server across multiple InsightCloudSec Organizations. Learn more about Organizations.
  3. At this point you will need to return to Okta with the URL information provided in this form, for example:
    • https://baseurl.net/v3/auth/provider/saml/1/acs
    • https:/baseurl.net/v3/auth/provider/saml/1/metadata/

Okta Setup for SAML

These steps assume that you have the required URLs from the Create Authentication Server window in InsightCloudSec.

Refer to the steps below to complete the required configuration setup for SAML using Okta. You can refer to Okta's documentation on setting up a SAML application here.

  1. Log in to Okta as an administrator.
  2. Navigate to Applications, select Add Application, and then click on the Create New App.
  3. On the Create a New Application Integration update the SAML configuration details as follows:
    • Platform: Web
    • SAML 2.0
  4. Click Create.
  5. Complete the Create SAML Integration details:
    • Provide the App with an appropriate name
    • Add an optional logo
  6. Under the General SAML Settings complete the details as follows:
    • You will need to provide the two URLs copied from Step #3 in the InsightCloudSec instructions above, for example:
      • For Single sign on URL https://baseurl.net/v3/auth/provider/saml/1/acs
      • For Audience URI (SP Entity ID) https:/baseurl.net/v3/auth/provider/saml/1/metadata/
  7. Complete the rest of the form options/settings as desired.
  8. In the SAML form, to successfully establish group mapping and create users, you will need to update the Attribute Statements (optional). These details enable InsightCloudSec to appropriate identify and collect user details.
    • Name: email Value user.email
    • Name: firstName Value user.firstName
    • Name: lastName Value user.lastName
  9. In addition we recommend configuring Group Attribute Statements (Optional), to help InsightCloudSec locate the group information for example:
    • Name: memberOf
    • Starts with: InsightCloudSec
  10. Click Next and then click Finish to complete the setup of the Okta portion of the SAML integration.
  11. From your completed App page, click on View Setup Instructions to display the configuration details required to finalize your setup in InsightCloudSec.

InsightCloudSec Continued Setup for SAML

These steps assume you are still working from the Administration > User Management on the Authentication Servers tab with an active window to create a new SAML Authentication server.

Continue from Step #3 above where you copied the required URLS for Okta, moved to Okta, and have returned to InsightCloudSec with your completed SAML config details. We are resuming the InsightCloudSec setup.

  1. Complete the details for the SAML Authentication Server including the following required fields:

    • Idp Entity ID/Metadata URL
    • SSO URL
    • Idp x509 Certificate
    • Checkbox - Enable JIT user provisioning at login (if selected enables provisioning as soon as the user logs in)
    • Checkbox - Make this the default SSO for JIT user provisioning. Only one server can be set as the default).
      • If this is enabled, users that don't exist will be redirected to Okta to login.
      • Important - if this option is selected it will prevent you from creating additional SAML integrations.
  2. Continuing completion of the SAML Form

    • SAML attribute name for user groups - This field should be completed the with name you provided in as part of the Group Attribute Statement
    • SAML attribute name for displayname (or firstname)
    • SAML attribute name for last name
    • SAML attribute for email

    These are the fields you completed as part of the Okta setup - Attribute Statements (optional) in Step #8 above.

  3. Continuing completion of the SAML Form

    • Checkbox - Enable periodic user provisioning (Okta only) - if enabled provides hourly sync with Okta
    • API Key - API Key (token to communicate with Okta)

    The next fields are optional and can be modified based on your requirements

    • login (default)
    • displayName (default)
    • User profile field to use for last name (optional)
    • email (default)
  4. Continuing completion of the SAML Form

    • Checkbox - Update profile (email & display name) on JIT and periodic user provisioning
      • Enabling this field allows InsightCloudSec to absorb changes on the Okta side to any usernames or display information. We encourage you to enable this box to allow us to maintain changes that may take place in Okta
    • Name ID Format - to provide user name details for SAML
    • signature Algorithm - to provide SSO provider digital signature details
  5. Continuing completion of the SAML Form. Select any of the checkboxes to enable any desired specific attributes. These are as named, e.g., nameIdEncrypted - when checked will encrypt the nameId field, etc.

  6. Click Submit when you have provided all of the necessary details.

  7. Navigate to Administration > User Management and open the tab labelled User Groups.

  8. Click Add User Group and name your new group as desired. This field will be used to populate the InsightCloudSec Group name when you configure your Group Mapping (these must match and are case sensitive).

  9. Click on the Actions menu to the left of your new/target group name to access the Manage Entitlements capabilities.

Managing Entitlements

Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.

If you create a group and enable group mapping BEFORE you establish entitlements, the users within your groups will have nothing configured and will not be able to access anything.

Refer to our documentation on Basic User Groups, Roles, & Entitlements, and our User Entitlements Matrix for details.

  1. Navigate to Administration > User Management and select the Authentication Servers tab.
  2. Click on the Actions menu to the right of the line for the server you created earlier and select Update Group Mappings.
  3. Complete your Group Mappings as desired. Click on the + at the top to add additional lines.
    • Domain Admin, Domain Viewer, and Organization Admin fields already exist as presets.
    • Even with mapped groups associated these mappings simply establish the Domain Admin, Domain Viewer, and Organization Admin users. These aren't technically groups, and as such you will have to locate them by name individually to modify or update them.
  4. Click Submit to complete your Group Mappings.
    • If you do nothing, Okta will sync hourly and update your mapping.
    • If any users logs in it will kick off the synchronization process.
    • To manually sync click the actions menu and select Synchronize Users
    • You can verify the sync by checking out the View Logs option under the actions menu, or by visiting the User Groups tab to watch the user count increase.