InsightVM Platform Login
InsightVM Platform Login consolidates our Security Console and cloud-based features into a single product interface by using insight.rapid7.com. Enable this login experience to help improve your overall product experience.
Why should I enable InsightVM Platform Login?
The InsightVM Platform Login allows you to access console-based tabs and cloud-based features from a single location on the Insight Platform, which means you no longer have to maintain multiple sets of credentials and authentication methods for the different parts of InsightVM. Instead, you can interact seamlessly with features specific to the Insight Platform such as Scan Engine Management, a feature that is available after enabling InsightVM Platform Login.
We recommend using InsightVM Platform Login
We recommend that all eligible users enable InsightVM Platform Login to avoid a disjointed product experience. Enabling InsightVM Platform Login also protects your environment from potential insufficient session expiration. CVE-2021-3844 is an active example of this type of vulnerability.
Requirements for enablement
- Once your Global Administrator has enabled InsightVM Platform Login, all Security Console users are eligible for InsightVM Platform Login.
- Your Security Console must be on version 6.6.62.
- The machine you want to use the InsightVM Platform Login on must be on the same physical network or Virtual Private Network (VPN) as the host machine on which your Security Console is installed. If InsightVM is unable to connect to your Security Console any time after enablement, console-based pages and features are unavailable until connectivity is established again.
How does InsightVM Platform Login work?
InsightVM Platform Login allows insight.rapid7.com to consolidate feature experiences by loading interfaces from your console host when needed by referencing your console URL. This means that you no longer have to log in to your console directly to access features such as site creation and configuration, scan credentials, and asset groups.
InsightVM Platform Login is an individual user experience. Enabling the experience for your own user account does not affect the login workflow of other InsightVM users that have not enabled it yet.
Once enabled, you access InsightVM through insight.rapid7.com by default with either your Insight account email address and password, or according to the company-wide authentication method configured by your Platform Administrator.
FAQ
Who can enable InsightVM Platform Login?
Global administrators can enable InsightVM Platform Login and extend that eligibility to non-admin users as defined in your console user management table.
What happens to my old login?
Older Security Console login methods will be deprecated for your user account. Any console-based external authentication source configured for your account (e.g. SAML, LDAP, or Kerberos) will no longer work.
To accommodate an easier transition to the new InsightVM Platform Login workflow, a 60-day grace period (starting from the time you first enable the experience) will allow your user account to continue using deprecated console login methods before they are disabled for you permanently.
As mentioned previously, enabling InsightVM Platform Login for your user account will not affect the login workflow of other InsightVM users that have not enabled it yet, including those who log in directly to the Security Console manually or through a console-based authentication source.
Does Insight Platform Login require additional authentication?
With access to InsightVM now consolidated exclusively on insight.rapid7.com, you will need to use the company-wide authentication setting configured by your Platform Administrator (if your organization requires a more robust authentication method beyond your standard Insight credentials).
You must use the source configured in your Insight Platform settings to use an external authentication source with InsightVM Platform Login. If you do not have an existing source, a user in your organization with Platform Administrator privileges will need to configure a new one for you.
There is only one Insight Platform authentication setting allowed at a time, and is enforced to all users. At this time, the Insight Platform supports the following authentication methods:
- SAML authentication supports both Identity Provider (IdP) and Service Provider (SP) initiated logins.
- Multi-factor authentication (MFA) that is layered onto the standard Insight account authentication method.
Security Console external authentication sources are not supported
Any Security Console-based external authentication sources (SAML, LDAP, or Kerberos) you may already have are no longer usable for your user account after enabling InsightVM Platform Login.
How are Insight Platform credentials determined?
Insight Platform credentials are email-based and allow you to use additional Platform-based features and multiple Insight products as long as you’ve been granted access to them. If InsightVM can’t find a matching Insight account based on the email address specified in your Security Console user configuration, we’ll create one for you automatically.
Signed certificate recommendation
We recommend you have a SSL certificate signed by a certificate authority for your Security Console URL. The InsightVM Platform Login experience stops working if InsightVM encounters a certificate error from your browser when you attempt to access console-based pages. See the Managing the HTTPS certificate section of the Managing the Security Console article for instructions on how to apply a signed certificate.
For a quick, but temporary, solution, see the Status and Connection Management section.
Can InsightVM Platform Login be disabled?
As of product release 6.6.86 (June 2, 2021), you are able to disable the InsightVM Platform Login through the Run section of InsightVM.
Vulnerability exposure risk
We strongly recommend that you continue to use InsightVM Platform Login. If you choose to disable the InsightVM Platform Login, your environment may be vulnerable to insufficient session expiration. Disabling InsightVM Platform Login will expose you to CVE-2021-3844.
Who can disable InsightVM Platform Login?
You must have the necessary administrator privileges to complete this request.
Disable your InsightVM Platform Login
- In the navigation menu, click Administration, in the Console > Troubleshooting section, click Run commands.
- Enter one of the following commands:
- To disable a single user, enter:
platform-login disable user1
- To disable multiple users, enter:
platform-login disable user1, user2, user3
- To disable all users, enter:
platform-login disable *
- To disable a single user, enter:
If you do not choose to disable all users at once, a global administrator must remain enabled for InsightVM Platform Login until all non-administrative users have been reverted.
For further assistance, reach out to our support team through the Customer Support Portal.
Enable Security Console Login
- Access your Security Console and log in with your username and password. If applicable, use whichever console-based external authentication source you would typically use.
- When the InsightVM interface loads, open your user profile dropdown in the upper right corner of the screen and click Enable InsightVM Platform Login. You can also expand the menu and click any of the following cloud-based pages to trigger the enablement window:
- Dashboard
- Remediation Projects
- Goals and SLAs
- Automation
- Containers
- Cloud Configuration
- Management
- When the enablement window appears, locate the confirmation check box and verify that the email address shown is the same address that you currently use to access insight.rapid7.com. If this address is correct, select the confirmation box.
- Click Enable.
Enable InsightVM Platform Login
After you verify that you meet the requirements, you’re ready to enable InsightVM Platform Login.
Is your organization new to Platform Login?
You may need to provide your Security Console URL manually if you are the first user in your organization to enable this feature.
Go to insight.rapid7.com and log in with your Insight account email address and password. If applicable, use whichever cloud-based external authentication source you would typically use.
If you are not directed to InsightVM automatically upon logging in, you can access the product by clicking Open on the InsightVM tile located on the Platform Home page or by clicking InsightVM in the products menu bar.
When InsightVM loads, the enablement window appears automatically. If the window doesn’t appear, you can launch it manually from your user profile by clicking Enable InsightVM Platform Login.
If you are the first user in your organization to enable InsightVM Platform login, enter the Security Console URL.
The format of your URL must be a fully qualified domain name that includes either the
http://
orhttps://
protocol.Verify that the email address is the same address that you used to access insight.rapid7.com. If this address is correct, select the confirmation box.
Click Enable.
After enabling the experience, your InsightVM interface will reload to allow your Security Console pages to appear in the menu.
Status and connection management
You can check the status of your connection and make URL changes on the Security Console URL card located in Management > Org Settings.
The card can display either a Connected or Connection failed status.
Troubleshoot your connection
Possible causes | Potential solutions |
---|---|
Your Security Console host is offline. | Check for connectivity issues. |
The host you are using to access InsightVM is not on the same network as your Security Console host. | Check your VPN connection. |
The specified URL is not recognized as a Security Console. | The URL you’ve set up may have changed or been incorrectly submitted. 1. Log in to insight.rapid7.com > select InsightVM > Management > Org Settings. 2. Check that the URL is listed. 3. If it is not listed or is misspelled, re-enter your URL correctly. |
InsightVM encountered a certificate error from your browser when attempting to connect to a console-based page. This can happen if your existing certificate has expired or if your Security Console is still using the self-signed certificate that was included in the original installation. | The best way to avoid this is by ensuring your Security Console has an SSL certificate signed by a certificate authority. For a quick, but temporary, solution, dismiss the certificate error from your Security Console URL. This allows you to connect InsightVM to your Security Console without needing additional configuration changes. You will continue to receive certificate errors until your SSL certificate is signed. |
Edit your Security Console URL
Click Edit on the bottom of the card.
The same URL formatting requirement applies to any changes you make here.
Enter your new Security Console URL.
Click Confirm to finish.