Configure SSO access to the InsightVM Security Console

You can configure single sign-on (SSO) to the InsightVM Security Console using an external identity provider (IdP). This feature allows you to authenticate and control user access to the InsightVM Security Console from your existing single sign-on solution.

Insight Platform Login overrides SSO authentication

Enabling Insight Platform Login will disable any local login methods. Any console-based external authentication source configured for your account (e.g. SAML, LDAP, or Kerberos) will no longer work after a default 60 day grace period.

Before you begin

Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. Any IdP you want to use must meet the SAML 2.0 compliance requirements, which you can read about here: https://en.wikipedia.org/wiki/SAML-based_products_and_services

To test whether your IdP is compliant, you can use a free SAML testing tool such as: https://www.samltool.com/

Only one source can be configured

Only one SAML authentication source is permitted. Defining a new SAML source will overwrite the current source definition, if it exists.

Configure SSO

On the Administration page, in the Authentication: 2FA and SSO section, click Configure SAML Source.

Required Information

The following information is required for configuring SSO.

FieldDescription
Entity id URLThe Entity id URL is the Console Unique Identifier URL, for example http://rapid7.com/nsc/console/ceea081b-l. The URL is HTTP and not HTTPS.
ACS URLAssertion Consumer is the Security Console hostname or IP address + port number + /saml/SSO appended to the end of the URL, for example: https://console-hostname:3780/saml/SSO

If the Console’s ACS URL includes a hostname or FQDN, then it must be specified as the Base Entity URL in the Identify Provider section.
IDP Provider Metadata (XML)IdP generated XML, please consult the applicable guide, or your identity provider documentation.

Base Entity URL

If the Console’s ACS URL includes a hostname or FQDN, then it must be specified as the Base Entity URL in the Identify Provider section.

For the Base Entity URL, use the following format: https://<console-hostname>:<console-port>

For example, https://consoleserver.yourdomain.com:3780

Server reboot required

If you apply a Base Entity URL, you must reboot the server.

Identity Provider Configuration

Refer to the following pages based on your Identity Provider: