The instructions on this page detail the steps required to configure Just In-Time User Provisioning for SAML. For general information check out the Just In-Time User Provisioning (Authentication Server Support) overview documentation.
If you are looking for instructions on Configuring Authentication Server Support for SAML that does not include JIT, refer to the documentation here SAML.
These steps use Okta configurations as an example. For specific details on Okta we recommend you refer to their documentation. For other providers, we recommend you refer to the provider's configuration documentation.
As always, if you have questions or issues or want details on implementation using something other than Okta we're here to help, reach out to [email protected].
You must be prepared to complete the setup of your entitlements. Attempting to create group mappings without completing this setup in InsightCloudSec will create groups with users that have NO associated permissions.
- Take a look at our documentation around Permissions Entitlements if you still need to prepare these configurations.
In InsightCloudSec, scheduled updates run once an hour. The authentication server gets lists of members of the mapped user groups, and InsightCloudSec’s users and group associations are updated to match.
Note: A credential to the authentication server is required to perform the scheduled updates.
- For Okta, this is implemented using a read-only API key.
Users from SAML authentication servers should have a unique username. In cases where a username is already in use by a local InsightCloudSec user an administrator may need to update the user accounts in InsightCloudSec.
Value Names (DivvyCloud vs. InsightCloudSec)
Some components, screen captures, examples, and values use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.
Refer to the steps below to complete the initial required configuration for SAML using Okta within InsightCloudSec.
1. Navigate to "Administration --> Identity Management" and select "Authentication Server".
2. Click on "Add Server" to create a new authentication server.
- Select a Server Nickname (name)
- Select SAML
- Select the Global Scope checkbox if you want to use this server across multiple InsightCloudSec Organizations. Learn more about Organizations.
3. At this point you will need to return to Okta with the URL information provided in this form, for example:
These steps assume that you have the required URLs from the "Create Authentication Server" window in InsightCloudSec.
Refer to the steps below to complete the required configuration setup for SAML using Okta. You can refer to Okta's documentation on setting up a SAML application here.
1. Log in to Okta as an administrator.
2. Navigate to "Applications", select "Add Application", and then click on the "Create New App".
3. On the "Create a New Application Integration" update the SAML configuration details as follows:
- Platform: Web
- SAML 2.0
4. Click "Create".
5. Complete the "Create SAML Integration" details:
- Provide the App with an appropriate name
- Add an optional logo
6. Under the General SAML Settings complete the details as follows:
- You will need to provide the two URLs copied from Step #3 in the InsightCloudSec instructions above, for example:
- For Single sign on URL
- For Audience URI (SP Entity ID)
- For Single sign on URL
7. Complete the rest of the form options/settings as desired
8. In the SAML form, to successfully establish group mapping and create users, you will need to update the "Attribute Statements (optional)". These details enable InsightCloudSec to appropriate identify and collect user details.
9. In addition we recommend configuring "Group Attribute Statements (Optional)", to help InsightCloudSec locate the group information for example:
- Name: memberOf
- Starts with: Divvy (or InsightCloudSec)
10. Click "Next" and then click "Finish" to complete the setup of the Okta portion of the SAML integration.
11. From your completed App page, click on "View Setup Instructions" to display the configuration details required to finalize your setup in InsightCloudSec.
These steps assume you are still working from the "Administration --> Identity Management" on the "Authentication Servers" tab with an active window to create a new SAML Authentication server.
Continue from Step #3 above where you copied the required URLS for Okta, moved to Okta, and have returned to InsightCloudSec with your completed SAML config details. We are resuming the InsightCloudSec setup with Step #4
4. Complete the details for the SAML Authentication Server including the following required fields:
- Idp Entity ID/Metadata URL
- SSO URL
- Idp x509 Certificate
- Checkbox - Enable JIT user provisioning at login (if selected enables provisioning as soon as the user logs in)
- Checkbox - Make this the default SSO for JIT user provisioning. (Note: Only one server can be set as the default).
- If this is enabled, users that don't exist will be redirected to Okta to login.
- Important - if this option is selected it will prevent you from creating additional SAML integrations.
5. Continuing completion of the SAML Form
- SAML attribute name for user groups - This field should be completed the with name you provided in as part of the "Group Attribute Statement"
- SAML attribute name for displayname (or firstname)
- SAML attribute name for last name
- SAML attribute for email
These are the fields you completed as part of the Okta setup - "Attribute Statements (optional)" in Step #8 above.
6. Continuing completion of the SAML Form
- Checkbox - Enable periodic user provisioning (Okta only) - if enabled provides hourly sync with Okta
- API Key - API Key (token to communicate with Okta)
The next fields are optional and can be modified based on your requirements
- login (default)
- displayName (default)
- User profile field to use for last name (optional)
- email (default)
7. Continuing completion of the SAML Form
- Checkbox - Update profile (email & display name) on JIT and periodic user provisioning
- Enabling this field allows InsightCloudSec to absorb changes on the Okta side to any usernames or display information. We encourage you to enable this box to allow us to maintain changes that may take place in Okta
- Name ID Format - to provide user name details for SAML
- signature Algorithm - to provide SSO provider digital signature details
8. Continuing completion of the SAML Form
- Select any of the checkboxes to enable any desired specific attributes. These are as named, e.g., nameIdEncrypted - when checked will encrypt the nameId field, etc.
9. Click "Submit" when you have provided all of the necessary details.
10. Navigate to "Administration --> Identity Management" and open the tab labelled "User Groups".
11. Click "Add User Group" and name your new group as desired.
- This field will be used to populate the InsightCloudSec Group name when you configure your Group Mapping (these must match and are case sensitive)
12. Click on the "Actions" menu to the left of your new/target group name to access the "Manage Entitlements" capabilities.
Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.
If you create a group and enable group mapping BEFORE you establish entitlements, the users within your groups will have nothing configured and will not be able to access anything.
Refer to our documentation on Permissions Entitlements for details.
13. Navigate to "Administration --> Identity Management" and select the "Authentication Servers" tab.
14. Click on the "Actions" menu to the right of the line for the server you created earlier and select "Update Group Mappings".
15. Complete your Group Mappings as desired. Click on the "+" at the top to add additional lines.
- Domain Admin and Organization Admin fields already exist as presets.
- *Important note: even with mapped "groups" associated these mappings simply establish the Domain and Org Admin users. These aren’t technically groups, and as such you will have to locate them by name individually to modify or update them.
16. Click "Submit" to complete your Group Mappings.
- If you do nothing, Okta will sync hourly and update your mapping.
- If any users logs in it will kick off the synchronization process.
- To manually sync click the actions menu and select "Synchronize Users"
- You can verify the sync by checking out the "View Logs" option under the actions menu, or by visiting the "User Groups" tab to watch the user count increase.
Updated 3 days ago