Configure Azure AD SSO

You can enable users to access the Threat Command with IdP-initiated Azure AD SSO. In addition, you can enable SP-initiated SSO and user provisioning with the SAML Just In Time (JIT) method.

User provisioning with JIT enables Azure AD users to register new Threat Command users directly from Azure AD, thus bypassing the need to set up each user individually in Threat Command. For more information, see Provisioning Users with JIT.

Enable access to Threat Command with Azure AD

Add the Rapid7 application to the customer Azure AD account.

This section describes the basic Azure AD configuration process. The process is described fully at https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/intsights-tutorial.

Before you begin, ensure that:

  • You can access the Azure AD account as an administrator.
  • In the Azure Users and groups section, ensure that your user exists:
    temporary placeholder
  • In Azure Roles and administrators (Preview) section, ensure that administrative roles have permissions for: Application administrator, Cloud application administrator, and Reports reader:
    temporary placeholder
  • You can access Threat Command as an administrator.
  • (Optional) To enable SP-initiatedlogin, you can provide the IDP URL (Login URL) and Issuer ID (Entity ID) for the SSO provider. You can get these values from the Azure Portal.

To enable Azure AD access to Threat Command:

  1. Log in to Azure AD as an administrator.

  2. Add the Rapid7 application to Azure AD:

    1. From the Azure Active Director y, navigate to Enterprise Applications > All Applications.
    2. Click New application.
    3. In the Add from the gallery section, type intsights in the search box.
    4. Select insights and then add the app.
      A confirmation message is displayed when the app is added. This may take a few moments.
      The Overview page is displayed.

  3. Configure the Azure AD SSO:

    1. From the IntSights application integration page, find the Manage section and click Single sign-on.
    2. Click SAML.
      1. In the Basic SAML Configuration section, click Edit.
        temporary placeholder
      2. For the Identifier,**** Reply URL, and Sign on URL fields, type the following:
        https://dashboard.ti.insight.rapid7.com/auth/saml-callback/azure -temporary placeholder
      3. Click Save.
      4. Close the Basic section.
      5. In the SAML Signing Certificate section, click Download for the Base64 certificate.
        temporary placeholder
        The certificate is downloaded to the default download folder.

  4. Log in to Threat Command as an administrator.

  5. From the Threat Command main menu, select Settings > Authentication.

  6. Enable SAML single sign-on :
    temporary placeholder

  7. Upload the certificate that was downloaded from Azure AD.

  8. (Optional) To enable SP-initiated login to Threat Command, perform the following:

    1. Select Enable SP-initiated login.
    2. Enter the IDP URL and Issuer ID.
      For the IDP URL value, type the Azure Login URL.
      Example: https://login.microsoftonline.com/1a7axxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2 - For the Issuer ID value, type the Azure Entity ID (same for all Azure users):
      https://dashboard.ti.insight.rapid7.com/auth/saml-callback/azure For more information, see Enable SP-Initiated User Login.

  9. (Optional) In the Force logout section, set the maximum hours for a user session to remain valid.
    After this time period, the user must sign in through their SSO to regain access to  Threat Command.

  10. (Optional) To enable JIT user provisioning, perform the following:

    1. Select Enable JIT user provisioning.
    2. (Optional) When JIT provisioning is enabled, you can force users to log in with SSO.
      To enforce this, clickEnforce SSO. Users will not be able to use the Threat Command username and password, only SSO. Ensure that your setup supports this before enabling this option.
    3. To get the account ID needed to configure JIT in Azure, click Copy account ID. For more information about provisioning users, see Provisioning Users with JIT.

  11. Click Save Changes.

Enable JIT user provisioning in Azure AD SSO

To complete the JIT provisioning setup, you need to perform additional steps in the IntSights application in Azure AD.

In the Azure AD User Attributes & Claims section, the following Required claims must be set:

Required claimValue
intsightsAccountIdPaste the account ID from the Threat CommandSAML single sign-ondialog.
intsightsRoleSelectAdminorAnalyst

Before using, you must assign the users, as described in the "Assign the Azure AD test user" section of the Azure AD documentation.

For complete instructions, see https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/intsights-tutorial.