SAML

InsightCloudSec supports using SAML as a valid authentication server. This page includes details on configuring SAML as an authentication server for InsightCloudSec.

In addition to SAML authentication where users are created and managed in InsightCloudSec, we also support using SAML in combination with external tools for user management, where user creation/data can be synced with InsightCloudSec. For details on this feature check out Just In-Time User Provisioning (Authentication Server Support).

Prerequisites

Before getting started you will need to have the following

  • A functioning InsightCloudSec platform
  • Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
  • Administrative credentials to your SAML instance

For questions or issues reach out to us through the Customer Support Portal.

Dependencies

While it is possible to configure a SAML authentication server without the necessary dependencies, to use it you must first install several dependencies. This does not apply for Docker image deployments as the container contains all requisite SAML dependencies.

The SAML extension uses the OneLogin python-saml library and requires several OS dependencies which must be installed on each instance running an interface server. Once the dependencies are installed, install the python-saml library in your virtual environment: pip install python-saml.

Azure AD + SAML

If you are looking for instructions on using Microsoft Entra ID security assertion markup language (SAML) refer to Microsoft Entra ID + SAML.

SAML Configuration Setup

Before starting, ensure that base url is set for your installation in System Administration > General Settings. Read more on the System Settings page. This host information is used when building the SAML redirection URLs and the URLs provided to the Identity Provider.

To create a SAML Authentication Server:

  1. Navigate to Administration > Identity Management" and select the "Authentication Servers tab.

  2. Click the Add Server button to launch the form.

  3. Complete the Authentication Server details as desired.

    • Provide a nickname for your server.
    • Select SAML as the Server Type.
    • Select the Global Scope checkbox if you want to use this server across multiple InsightCloudSec Organizations. Learn more about Organizations.

  4. You will need to share the URL information provided in this form with your provider, for example:

    • https://baseurl.net/v3/auth/provider/saml/1/acs
    • https:/baseurl.net/v3/auth/provider/saml/1/metadata/

  5. Complete the additional fields are desired. Note the following fields are the minimum required (all subsequent fields will vary/are optional based on your environment and requirements) for most SAML configurations:

    • Idp Entity ID/Metadata URL
    • SSO URL
    • Idp x509 Certificate

    For any fields labeled JIT, these options refer to our Just In-Time Provisioning capabilities. You can read details on these capabilities in our Just In-Time User Provisioning (Authentication Server Support) documentation.

  6. The remaining checkboxes are for fine tuning the authentication payload requirements required for provided by the Identity Provider.

    For example, authentication will fail if wantAttributeStatement is set to true and the Identity Provider does not supply an attributes section in the SAML payload.

    Authentication works by correlating the NameID attribute of a SAML user to the username of a local user. Ensure that when creating a new user with the intent on authenticating with SAML the username is NameID in the SAML directory.

  7. Click Submit when you complete the form as desired.