Set up Azure AD as the Identity Provider Using SAML 2.0 - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide
Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-04-17
Category
User Guide
Solution
Cloud
Abstract

Use Azure AD to authenticate your Cortex Xpanse users.

This topic provides specific instructions for using Azure AD to authenticate your Cortex Xpanse users. As Azure AD is third-party software, specific procedures, and screenshots may change without notice. We encourage you to also review the Azure AD documentation.

To configure SAML SSO in Cortex Xpanse, you must be a user who can access the Cortex Xpanse tenant and have either the Account Admin or Instance Admin role assigned.

The following video is a step-by-step guide to configuring SSO for Azure AD. It shows Cortex XDR, but the same steps apply to Cortex Xpanse.

Step 1: Configure Azure AD Security Groups

Within Azure AD, assign users to security groups that match the user groups they will belong to in Cortex Xpanse. Users can be assigned to multiple Azure AD groups and receive permissions associated with multiple user groups in Cortex Xpanse. Use an identifying word or phrase, such as Cortex Xpanse, within the group names. For example, Cortex Xpanse Analysts. This allows you to send only relevant group information to Cortex Xpanse, based on a filter you will set in the group attribute statement.

Step 2: Copy Single SSO and Audience URI Values from Cortex Xpanse

  1. In the Single Sign-On tab, toggle SSO Disabled to on.

    By default, SSO is disabled in Cortex Xpanse.

  2. Expand the SSO Integration settings.

  3. Copy and save the values for Single Sign-On URL and Audience URI (SP Entity ID).

    Both values are needed to configure your IdP settings.

  4. You can not save the enabled SSO Integration at this time, as it requires values from your IdP.

Step 3: Configure Cortex Xpanse Application in Azure AD

  1. From within Azure AD, create a Cortex Xpanse application and Edit the Basic SAML Configuration.

    Azure-Basic-SAML-8.png

  2. Paste the Single sign-on URL and the Audience URI (SP Entity ID) that you copied from the Cortex Xpanse SSO settings. The Single sign-on URL from Cortex Xpanse should be pasted in the Reply URL and the Sign on URL fields . The Audience URI (SP Entity ID) value from Cortex Xpanse should be pasted in the Identifier (Entity ID) and Relay State fields. This allows users to log in to Cortex Xpanse directly from Azure AD.

    Azure-Basic-Config-8.png

  3. In the SAML Certificates section, click Edit and verify that Azure is configured to sign both the response and the assertion.

    Azure-Sign-Certificate-8.png

  4. To have Azure AD send group membership for the user in the SAML token, you must + Add a group claim in the Attributes & Claims section. Send the Security groups, using the source attribute Group ID. Use the word or phrase you selected when configuring Azure AD security groups (such as Cortex Xpanse) to create a filter. Customize the name of the group claim as memberOf.

    Azure-memberof-Group-8.png

  5. In addition to group membership, verify that there are also claims for:

    • Email address

    • First Name

    • Last Name

Step 4: Copy Login URL, Azure ID Identifier, and Attribute Claims

  1. In Azure, from the Single sign-on page, in the Set up Cortex Xpanse Production section, copy the values for the Login URL and Azure AD Identifier. You need these values to configure the SSO Integration in Cortex Xpanse.

    Azure-XSOAR-Settings-8.png

  2. Edit Attributes & Claims and copy the values in the Claim name column. The claim name is case sensitive. You need these values to configure the SSO Integration in Cortex Xpanse.

    Note

    The default attributes shown on the main single sign-on page in Azure AD are not the values you need. You must click Edit next to Attributes and Claims to view and copy the actual values.

    Azure-claim-names-8.png
Step 5: Download the Certificate

From the SAML Certificates section in Azure AD, Download the Certificate (Base64). You need the contents of this file to configure the Cortex Xpanse SSO Integration.

Azure-download-certificate-8.png
Step 6: Copy the Source IDs for Azure AD Security Groups

The claim for the membership attribute that is sent to Cortex Xpanse uses the Object Id of the group. The Object Id is different from the Azure AD security group name. You can find the Object Id for each of your Azure AD security groups by navigating to Users and groups in Azure AD, clicking on the group name, and viewing the Object id. Create a list of the group names and corresponding Object Ids for every Azure AD security group you want to map to a Cortex Xpanse user group.

Step 7: Configure the Cortex Xpanse SSO Integration

  1. By default, SSO is disabled in Cortex Xpanse.

  2. Expand the SSO Integration settings.

  3. Use the following table to complete the SSO Integration settings, based on the values you saved from Azure AD.

    Azure AD

    Cortex Xpanse Field

    Login URL

    IdP SSO URL

    Azure AD Identifier

    IdP Issuer ID

    Contents of the downloaded certificate file.

    X.509 Certificate

  4. In the IdP Attributes Mapping section, enter the attribute claim names from Azure AD. The names are case sensitive and must match exactly.

    Azure-XSOAR-Attributes-8.png

  5. (Optional) Under Advanced Settings, select the checkboxes for ADFS and Compress encode URL (ADFS). In some circumstances, these fields may be required by your Azure AD configuration.

  6. Save your settings.

Step 8: Map SAML Group Memberships to Cortex Xpanse User Groups

  1. Right-click a user group and select Edit Group.

  2. In the SAML Group Mapping field add the Azure AD group(s) Object Ids that should be associated with this user group. Multiple Object Ids should be separated with a comma. The Azure AD group Object Id must match the exact value sent in the token.

  3. Save your settings.

  4. Repeat for each user group.

Step 9: Test SSO Login

  1. Go to the Cortex Xpanse tenant URL and Sign-In with SSO.

    Note

    When using SAML 2.0, users are required to authenticate by logging in directly at the tenant URL. They cannot log in via the Cortex Gateway.

  2. After authentication to Azure AD, you are redirected again to the Cortex Xpanse tenant.

  3. Once logged in, validate that you have been assigned the proper roles.

    To view your role and any user group role in which you belong, click your name in the bottom left-hand corner, and click About.