InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

SAML - Just In-Time Provisioning

Instructions for Configuration of SAML Just In-Time Provisioning with InsightCloudSec

Overview

The instructions on this page detail the steps required to configure Just In-Time User Provisioning for SAML. For general information check out the Just In-Time User Provisioning (Authentication Server Support) overview documentation.

If you are looking for instructions on Configuring Authentication Server Support for SAML that does not include JIT, refer to the documentation here SAML.

📘

Supported Options

These steps use Okta configurations as an example. For specific details on Okta we recommend you refer to their documentation. For other providers, we recommend you refer to the provider's configuration documentation.

As always, if you have questions or issues or want details on implementation using something other than Okta we're here to help, reach out to [email protected].

Configuration Considerations

Entitlements

You must be prepared to complete the setup of your entitlements. Attempting to create group mappings without completing this setup in InsightCloudSec will create groups with users that have NO associated permissions.

Scheduled Updates

In InsightCloudSec, scheduled updates run once an hour. The authentication server gets lists of members of the mapped user groups, and InsightCloudSec’s users and group associations are updated to match.

Credentials

Note: A credential to the authentication server is required to perform the scheduled updates.

  • For Okta, this is implemented using a read-only API key.

Existing SAML Users

Users from SAML authentication servers should have a unique username. In cases where a username is already in use by a local InsightCloudSec user an administrator may need to update the user accounts in InsightCloudSec.

📘

Value Names (DivvyCloud vs. InsightCloudSec)

Some components, screen captures, examples, and values use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.

Configuring JIT for SAML

InsightCloudSec Initial Setup (Authentication Server) for SAML

Refer to the steps below to complete the initial required configuration for SAML using Okta within InsightCloudSec.

1. Navigate to "Administration --> Identity Management" and select "Authentication Server".

2. Click on "Add Server" to create a new authentication server.

  • Select a Server Nickname (name)
  • Select SAML
  • Select the Global Scope checkbox if you want to use this server across multiple InsightCloudSec Organizations. Learn more about Organizations.

3. At this point you will need to return to Okta with the URL information provided in this form, for example:

  • https://baseurl.net/v3/auth/provider/saml/1/acs
  • https:/baseurl.net/v3/auth/provider/saml/1/metadata/
Creating a SAML Server - Required Configuration DetailsCreating a SAML Server - Required Configuration Details

Creating a SAML Server - Required Configuration Details

Okta Setup for SAML

These steps assume that you have the required URLs from the "Create Authentication Server" window in InsightCloudSec.

Refer to the steps below to complete the required configuration setup for SAML using Okta. You can refer to Okta's documentation on setting up a SAML application here.

1. Log in to Okta as an administrator.

2. Navigate to "Applications", select "Add Application", and then click on the "Create New App".

3. On the "Create a New Application Integration" update the SAML configuration details as follows:

  • Platform: Web
  • SAML 2.0

4. Click "Create".

Okta - Add new App5Okta - Add new App5

Okta - Add new App5

5. Complete the "Create SAML Integration" details:

  • Provide the App with an appropriate name
  • Add an optional logo

6. Under the General SAML Settings complete the details as follows:

  • You will need to provide the two URLs copied from Step #3 in the InsightCloudSec instructions above, for example:
    • For Single sign on URL https://baseurl.net/v3/auth/provider/saml/1/acs
    • For Audience URI (SP Entity ID) https:/baseurl.net/v3/auth/provider/saml/1/metadata/

7. Complete the rest of the form options/settings as desired

Okta - Create SAML IntegrationOkta - Create SAML Integration

Okta - Create SAML Integration

8. In the SAML form, to successfully establish group mapping and create users, you will need to update the "Attribute Statements (optional)". These details enable InsightCloudSec to appropriate identify and collect user details.

  • Name: email Value user.email
  • Name: firstName Value user.firstName
  • Name: lastName Value user.lastName

9. In addition we recommend configuring "Group Attribute Statements (Optional)", to help InsightCloudSec locate the group information for example:

  • Name: memberOf
  • Starts with: Divvy (or InsightCloudSec)
Okta AttributesOkta Attributes

Okta Attributes

10. Click "Next" and then click "Finish" to complete the setup of the Okta portion of the SAML integration.

11. From your completed App page, click on "View Setup Instructions" to display the configuration details required to finalize your setup in InsightCloudSec.

Example Completed SAML AppExample Completed SAML App

Example Completed SAML App

InsightCloudSec Continued Setup for SAML

These steps assume you are still working from the "Administration --> Identity Management" on the "Authentication Servers" tab with an active window to create a new SAML Authentication server.

Continue from Step #3 above where you copied the required URLS for Okta, moved to Okta, and have returned to InsightCloudSec with your completed SAML config details. We are resuming the InsightCloudSec setup with Step #4

4. Complete the details for the SAML Authentication Server including the following required fields:

  • Idp Entity ID/Metadata URL
  • SSO URL
  • Idp x509 Certificate
  • Checkbox - Enable JIT user provisioning at login (if selected enables provisioning as soon as the user logs in)
  • Checkbox - Make this the default SSO for JIT user provisioning. (Note: Only one server can be set as the default).
    • If this is enabled, users that don't exist will be redirected to Okta to login.
    • Important - if this option is selected it will prevent you from creating additional SAML integrations.
SAML Form Part 2SAML Form Part 2

SAML Form Part 2

5. Continuing completion of the SAML Form

  • SAML attribute name for user groups - This field should be completed the with name you provided in as part of the "Group Attribute Statement"
  • SAML attribute name for displayname (or firstname)
  • SAML attribute name for last name
  • SAML attribute for email

These are the fields you completed as part of the Okta setup - "Attribute Statements (optional)" in Step #8 above.

Additional SAML detailsAdditional SAML details

Additional SAML details

6. Continuing completion of the SAML Form

  • Checkbox - Enable periodic user provisioning (Okta only) - if enabled provides hourly sync with Okta
  • API Key - API Key (token to communicate with Okta)
Additional SAML detailsAdditional SAML details

Additional SAML details

The next fields are optional and can be modified based on your requirements

  • login (default)
  • displayName (default)
  • User profile field to use for last name (optional)
  • email (default)

7. Continuing completion of the SAML Form

  • Checkbox - Update profile (email & display name) on JIT and periodic user provisioning
    • Enabling this field allows InsightCloudSec to absorb changes on the Okta side to any usernames or display information. We encourage you to enable this box to allow us to maintain changes that may take place in Okta
    • Name ID Format - to provide user name details for SAML
    • signature Algorithm - to provide SSO provider digital signature details
Additional SAML detailsAdditional SAML details

Additional SAML details

8. Continuing completion of the SAML Form

  • Select any of the checkboxes to enable any desired specific attributes. These are as named, e.g., nameIdEncrypted - when checked will encrypt the nameId field, etc.
Additional SAML detailsAdditional SAML details

Additional SAML details

9. Click "Submit" when you have provided all of the necessary details.

10. Navigate to "Administration --> Identity Management" and open the tab labelled "User Groups".

11. Click "Add User Group" and name your new group as desired.

  • This field will be used to populate the InsightCloudSec Group name when you configure your Group Mapping (these must match and are case sensitive)

12. Click on the "Actions" menu to the left of your new/target group name to access the "Manage Entitlements" capabilities.

❗️

Managing Entitlements

Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.

If you create a group and enable group mapping BEFORE you establish entitlements, the users within your groups will have nothing configured and will not be able to access anything.

Refer to our documentation on Permissions Entitlements for details.

13. Navigate to "Administration --> Identity Management" and select the "Authentication Servers" tab.

14. Click on the "Actions" menu to the right of the line for the server you created earlier and select "Update Group Mappings".

15. Complete your Group Mappings as desired. Click on the "+" at the top to add additional lines.

  • Domain Admin and Organization Admin fields already exist as presets.
    • *Important note: even with mapped "groups" associated these mappings simply establish the Domain and Org Admin users. These aren’t technically groups, and as such you will have to locate them by name individually to modify or update them.

16. Click "Submit" to complete your Group Mappings. 


  • If you do nothing, Okta will sync hourly and update your mapping.
  • If any users logs in it will kick off the synchronization process.
  • To manually sync click the actions menu and select "Synchronize Users"
  • You can verify the sync by checking out the "View Logs" option under the actions menu, or by visiting the "User Groups" tab to watch the user count increase.

Updated 3 days ago

SAML - Just In-Time Provisioning


Instructions for Configuration of SAML Just In-Time Provisioning with InsightCloudSec

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.