Configure SSO access to the InsightVM Security Console

You can configure single sign-on (SSO) to the InsightVM Security Console using an external identity provider (IdP). This feature allows you to authenticate and control user access to the InsightVM Security Console from your existing single sign-on solution.

Enabling Insight Platform Login will disable any local login methods. Any console-based external authentication source configured for your account (e.g. SAML, LDAP, or Kerberos) will no longer work after a default 60 day grace period.

Before you begin

Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. Any IdP you want to use must meet the SAML 2.0 compliance requirements, which you can read about here: https://en.wikipedia.org/wiki/SAML-based_products_and_services

To test whether your IdP is compliant, you can use a free SAML testing tool such as: https://www.samltool.com/

Only one source can be configured

Only one SAML authentication source is permitted. Defining a new SAML source will overwrite the current source definition, if it exists.

Configure SSO

On the Administration page, in the Authentication: 2FA and SSO section, click Configure SAML Source.

Required Information

The following information is required for configuring SSO.

Field	Description
Entity id URL	The Entity id URL is the Console Unique Identifier URL, for example `http://rapid7.com/nsc/console/ceea081b-l`. The URL is HTTP and not HTTPS.
ACS URL	Assertion Consumer is the Security Console hostname or IP address + port number + /saml/SSO appended to the end of the URL, for example: `https://console-hostname:3780/saml/SSO` If the Console’s ACS URL includes a hostname or FQDN, then it must be specified as the Base Entity URL in the Identify Provider section.
IDP Provider Metadata (XML)	IdP generated XML, please consult the applicable guide, or your identity provider documentation.