Configure SSO access to the InsightVM Security Console
You can configure single sign-on (SSO) to the InsightVM Security Console using an external identity provider (IdP). This feature allows you to authenticate and control user access to the InsightVM Security Console from your existing single sign-on solution.
Insight Platform Login overrides SSO authentication
Enabling Insight Platform Login will disable any local login methods. Any console-based external authentication source configured for your account (e.g. SAML, LDAP, or Kerberos) will no longer work after a default 60 day grace period.
Before you begin
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. Any IdP you want to use must meet the SAML 2.0 compliance requirements, which you can read about here: https://en.wikipedia.org/wiki/SAML-based_products_and_services
To test whether your IdP is compliant, you can use a free SAML testing tool such as: https://www.samltool.com/
Only one source can be configured
Only one SAML authentication source is permitted. Defining a new SAML source will overwrite the current source definition, if it exists.
Configure SSO
On the Administration page, in the Authentication: 2FA and SSO section, click Configure SAML Source.
Required Information
The following information is required for configuring SSO.
Field | Description |
---|---|
Entity id URL | The Entity id URL is the Console Unique Identifier URL, for example http://rapid7.com/nsc/console/ceea081b-l . The URL is HTTP and not HTTPS. |
ACS URL | Assertion Consumer is the Security Console hostname or IP address + port number + /saml/SSO appended to the end of the URL, for example: https://console-hostname:3780/saml/SSO If the Console’s ACS URL includes a hostname or FQDN, then it must be specified as the Base Entity URL in the Identify Provider section. |
IDP Provider Metadata (XML) | IdP generated XML, please consult the applicable guide, or your identity provider documentation. |
Base Entity URL
If the Console’s ACS URL includes a hostname or FQDN, then it must be specified as the Base Entity URL in the Identify Provider section.
For the Base Entity URL, use the following format: https://<console-hostname>:<console-port>
For example, https://consoleserver.yourdomain.com:3780
Server reboot required
If you apply a Base Entity URL, you must reboot the server.
Identity Provider Configuration
Refer to the following pages based on your Identity Provider: