Single Sign-On
SAML Authentication Workflow
Service Provider Initiated
- User lands on the Login page of ReflexSOAR
- User enters their e-mail and clicks
Login with SSO
instead ofLogin
- The user is redirected to the
/api/v2.0/ssostart
endpoint where their SAML realm configuration is fetched - The user is redircted to their IdP for authentication
- The user is redirected back to
/api/v2.0/sso/<organization_uuid>/acs
- An
access_token
andrefresh_token
are placed in the users cookies - The user is redirected to
/#/dashboard
- The
access_token
andrefresh_token
cookies are consumed and moved to Local Storage and the Authorization header is set - User is logged in
Important Authentication Scenarios
- If a user is
locked
in ReflexSOAR and successfully authenticates via their Identity Provider, their access will be rejected in ReflexSOAR. - If a user does not exist in ReflexSOAR and successfully authenticates via their Identity Provider, their access will be rejected in ReflexSOAR, unless Automatic User provisioning is enabled.
Adding an SSO Realm
- Navigate to System > Settings > Authentication
- Select
Add Realm
- Configure the IdP
Entity ID
,SignOn Service
URL andLogout Service
URL - Add the
IdP
cert in CER format - Provide the logon domains for this realm (Note: Logon domains determine which SSO realm the user should authenticate to if there is more than one realm)
- OPTIONAL - Enabled
Automatic User Provisioning
- OPTIONAL - Adjust Advanced Settings depending on the the IdP
- Save the Realm
Mapping Users to Roles
ReflexSOAR supports automatically mapping Identity Provider authenticted users to internal ReflexSOAR roles. This can be accomplished by navigating to Settings > Authentication > Role Mapping > Create Role Mapping and supply the SAML attribute, a value to match and the role to map to.
Examples
Attribute | Value | Role |
---|---|---|
groups | ReflexAdmins | Admin |
groups | ReflexAnalysts | Analyst |
groups | IT-* | Viewer |
Automatic User Provisioning
ReflexSOAR can be configured to automatically provision new users that the configured Identity Provider has authenticted. On the User Provisioning tab of the SSO Provider creation wizard check the box for Auto Provision Users
and select the Default Role
.
Role Assignment
If you have configured Automatic Role mapping settings, a user's default roles will be adjusted to match their mapped roles and not the Default Role.
Required SAML Attributes
Automatic User provisioning requires the SAML assertion to have all the required attributes for creating the user. The table below highlights what is expected.
Attribute | Maps To |
---|---|
first_name | First Name |
last_name | Last Name |
username | User Alias |