SAML SSO user management¶
Investigator provides cross-domain single-sign on (SSO) using Security Assertion Markup Language (SAML) 2.0.
SAML 2.0 is an XML standard that acts as an authentication interface between Investigator and an identity provider (IdP) that manages user credentials. When Investigator receives a login request, it determines if SAML is enabled. If SAML is enabled, Investigator redirects the authentication request to the IdP.
Investigator SSO is compliant with SAML 2.0 systems and has been verified with Okta and Auth0.
Admins can set up SAML in the Access tab on the Users & Access page.
With SSO enabled, local authentication remains available for all admin users. For analyst users, Investigator does not allow local authentication from the same domain as the SSO, however, analyst users not in the SSO domain can log in.
Configure SAML SSO¶
The Investigator interface provides a wizard to step account admins through the SAML SSO configuration.
To configure SAML SSO
From System Settings in the left navigation, choose Users & Access and click the Access tab.
Click Enable for the SAML Single Sign On access option.
The configuration wizard displays two configuration values for your IdP.
Copy the Assertion Consumer Service URL and the Remote Manager Audience URL and add these values to the SAML configuration on your IdP.
These values are specific for your account.
From your IdP, ensure the SAML 2.0 assertion contains the
email_addressandgroupattributes. Make sure that the attribute names are exactly as specified (and ensure the IdP does not prepend the namespace to the attribute name).Define the group attribute to be either
corelight_admin,corelight_analyst, orcorelight_viewer, which align with the Admin, Analyst, and Viewer roles in Investigator.For example:
<saml2:Attribute Name="email_address"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">investigator.user@corelight.com</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="group"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">corelight_admin</saml2:AttributeValue> </saml2:Attribute>
From your IdP, find and copy the Entity ID (identity provider), single sign on service URL, and X.509 certificate.
As another approach, you can download a configuration file from your IdP and upload it to Investigator to provide the same information.
In Investigator, click Next and enter the Entity ID, single sign on service URL, and certificate or upload the configuration file.
Click Check Connection to ensure Investigator can successfully communicate with your IdP.
Click Next.
Map the Analyst and Admin roles in Investigator to roles in your IdP.
Analyst, Admin, and Viewer roles must be defined in your IdP as
corelight_analyst,corelight_admin, andcorelight_viewerand associated with SSO users.Click Enable.
A message indicates SAML Single Sign On is enabled.
With SAML enabled, you add and manage new users through your IdP. The User tab in Investigator is read-only. (Local authentication users remain in the system but only users not in the SSO domain remain as active.)
If a local authentication email address matches an SSO email, Investigator maintains any defined user preferences.
SAML users log in to Investigator using the Sign In SSO button. Users need to provide their email domain to redirect to their IdP for authentication.
When configured, you can use the SAML configuration wizard from the Access tab to modify the configuration.
Delete SAML SSO configuration¶
You can delete the SAML configuration by enabling Local Authentication.
When you switch to Local Authentication, all SSO user information is disabled and local user accounts are enabled. You will need to add local user accounts again when you disable SAML. If the user email matches a previously configured user, their profile settings are restored. See Local user management for more information.