SAML SSO user management¶
Investigator provides cross-domain single-sign on (SSO) using Security Assertion Markup Language (SAML) 2.0.
SAML 2.0 is an XML standard that acts as an authentication interface between Investigator and an identity provider (IdP) that manages user credentials. When Investigator receives a login request, it determines if SAML is enabled. If SAML is enabled, Investigator redirects the authentication request to the IdP.
Investigator SSO is compliant with SAML 2.0 systems and has been verified with Okta and Auth0.
Admins can set up SAML in the Access tab on the Users & Access page.
With SSO enabled, local authentication remains available for all admin users. For analyst users, Investigator does not allow local authentication from the same domain as the SSO, however, analyst users not in the SSO domain can log in.
Configure SAML SSO¶
The Investigator interface provides a wizard to step account admins through the SAML SSO configuration.
To configure SAML SSO
From System Settings in the left navigation, choose Users & Access and click the Access tab.
Click Enable for the SAML Single Sign On access option.
The configuration wizard displays two configuration values for your IdP.
Copy the Assertion Consumer Service URL and the Remote Manager Audience URL and add these values to the SAML configuration on your IdP.
These values are specific for your account.
From your IdP, find and copy the Entity ID (identity provider), single sign on service URL, and X.509 certificate.
As another approach, you can download a configuration file from your IdP and upload it to Investigator to provide the same information.
In Investigator, click Next and enter the Entity ID, single sign on service URL, and certificate or upload the configuration file.
Click Next.
From your IdP, ensure the SAML 2.0 assertion contains the
email_address
androle
attributes.For example:
<saml2:Attribute Name="email_address"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">investigator.user@corelight.com</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">admin_users,analyst_users</saml2:AttributeValue> </saml2:Attribute>
The role determines access privileges to be either Admin, Analyst, or Viewer.
Note
Previous configurations supported a
group
attribute instead of arole
attribute; Investigator continues to support those configurations for backward compatibility.In Investigator, map the Admin, Analyst, and Viewer roles in Investigator to groups in your IdP.
By default, Corelight expects the group defined in the IdP to be either
corelight_admin
,corelight_analyst
, orcorelight_viewer
, which align with the Admin, Analyst, and Viewer roles in Investigator. Leave the fields blank to use these default values.If you want to map custom groups from your IdP to Investigator roles, enter your IdP group that maps to Admin, Analyst, and Viewer users.
In the event a user matches multiple roles, Investigator assigns the role with the highest permissions.
Click Enable.
A message indicates SAML Single Sign On is enabled.
Click Check Connection to ensure Investigator can successfully communicate with your IdP.
With SAML enabled, you add and manage new users through your IdP. The User tab in Investigator is read-only. (Local authentication users remain in the system but only users not in the SSO domain remain as active.)
If a local authentication email address matches an SSO email, Investigator maintains any defined user preferences.
SAML users log in to Investigator using the Sign In SSO button. Users need to provide their email domain to redirect to their IdP for authentication.
When configured, you can use the SAML configuration wizard from the Access tab to modify the configuration.
Delete SAML SSO configuration¶
You can delete the SAML configuration by enabling Local Authentication.
When you switch to Local Authentication, all SSO user information is disabled and local user accounts are enabled. You will need to add local user accounts again when you disable SAML. If the user email matches a previously configured user, their profile settings are restored. See Local user management for more information.