Idaptive SSO

Idaptive SSO is a cloud service that allows you to track ingress authentication events and produce documents for those events in order to protect against privileged access abuse.

At this time, InsightIDR only tracks password authentications through your Idaptive data. After you complete the configuration, this event source refreshes every two hours.

Before You Begin

Use an Admin account to connect to InsightIDR with API permissions to query the redrock/query and /security endpoints. Read more about the Idaptive API here:

You must also gather the following information from your Idaptive application:

  • TenantID
  • User
  • Password

Configure Idaptive SSO

Complete these tasks to configure Idaptive SSO for this event source.

Task 1: Create an authentication profile

Create an authentication profile that uses a password for the first challenge and no secondary challenge (InsightIDR only supports password authentication). The profile must also bypass multi-factor authentication.

Task 2: (Optional) Create a policy

Users who have multi-factor authentication (MFA) enabled may need to create a unique policy that allows the InsightIDR account to bypass MFA and other controls (InsightIDR does not support MFA). To create a policy:

  1. Log in to the admin portal using the same account as the event source.
  2. Click Core Services > Policies > Add Policy Set.
  3. Define the policy related information.
  4. Enter a name for the policy set.
  5. Enter the description you want to appear on the Admin Portal Policy page.
  6. Configure Set Policy to active option if necessary (this option is enabled by default).
  7. Specify policy assignment.
  8. Click the Save button.

Task 3: Verify that you can access the Redrock Query

To test access to the Redrock Query:

  1. Log in to the admin portal using the same account as the event source.
  2. Navigate to Core Services > Reports.
  3. Click on New Report.
  4. Click on Edit Script and paste:
select ID,InternalSessionId,WhenOccurred,EventType,EventMessage,NormalizedUser,FromIPAddress,DirectoryServiceName from event where whenoccurred >= datefunc('now','-23:59') order by whenoccurred asc
  1. Click Preview.

If the preview returns records, there is access to the Redrock Query endpoint.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Idaptive in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Idaptive event source tile.
  4. Select your collector and Idaptive from the event source dropdown.
  5. Name your event source.
  6. Optionally choose to send unparsed logs.
  7. Select your LDAP account attribution preference.
  8. Select your Idaptive credentials, or optionally create a new credential.
  9. In the “Tenant ID” field, enter the tenant ID for your Idaptive appliance. For example, if your Idaptive URL is, your tenant ID is tenantID.
  10. Click Save.

Verify the Configuration

  1. From the left menu, click Log Search to view your raw logs to ensure events are making it to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Idaptive SSO” if you did not name the event source.

Idaptive SSO logs flow into the log set:

  • Ingress Authentication
  1. Perform a Log Search to make sure Idaptive SSO events are coming through.

The following is a sample of input logs that Idaptive SSO sends to InsightIDR.

"FromIPAddress": "",
"ID": "7729851cecdcfa97.W1a.f478.bdec1d8678e62ddd",
"EventType": "Cloud.Core.LoginFail",
"EventMessage": "Failed login attempt as bob from",
"NormalizedUser": "bob",
"InternalSessionId": "2669c4fd-34c2-4e01-9add-13a0a5062de1",
"WhenOccurred": "/Date(1547554501673)/",
"DirectoryServiceName": "UNKNOWN"