Set up Microsoft Azure in Cortex XSOAR as the identity provider for Cortex XSOAR users. SAML 2.0.
You can authenticate your Cortex XSOAR users using SAML 2.0 authentication and Microsoft Azure (Azure) as the identity provider. To set up Azure, you need to do the following:
Troubleshooting (generic - known errors)
The following are known issues when using Single sign on in Azure:
Method Not Allowed
: Ensure the endpoint is used for the Service Provider Entity ID and Reply URL for the IdP and Service provider, in the format: https://demisto-dns/saml."{"id":"errSAMLLogin","status":400,"title":"Failed to login via SAML","detail":"Failed to login via SAML","error":"","encrypted":false,"multires":null}"
: Most likely an attribute mapping issue. Ensure that all attributes that appear in Cortex XSOAR SAML 2.0 configuration are reflected in Azure claims and its associated SAML assertion. Attributes are case sensitive.You may also receive this message, if you select the Don’t map SAML groups to Demisto Roles checkbox and you do not define a role in Default role (for IdP users without groups) in the SAML 2.0 configuration.
After connecting through SSO, a user may temporarily see the home screen, but immediately returns to the login page. The user does not have any group assigned, so he cannot login.
Check the group mapping and see whether the
memberOf
attribute is correct. As a workaround, if you did not set the group mapping, you can use the Default role (for IdP users without groups) in the SAML 2.0 configuration.If a user belongs to many groups, the identity provide may return an attribute:
https://graph.windows.net/{tenantID}/users/{userID}/getMemberObjects
and not the actual roles, causing Cortex XSOAR authentication to fail.In this case, you can configure Azure AD to return groups assigned to the application, with source attribute Group ID. Note that this option is not officially supported by Cortex XSOAR.
Configure Microsoft Azure to Authenticate Cortex XSOAR
Set up your Microsoft Azure account to authenticate Cortex XSOAR users. Create groups, configure application. SAML 2.0.
You need to authenticate Cortex XSOAR in your Azure account and then create a SAML 2.0 instance in Cortex XSOAR.
In the Azure Portal, create new groups to match the Cortex XSOAR roles.
For example, Cortex XSOAR comes out of the box with the Administrator, Analyst, and Read-Only roles. We need to add these roles to Azure.
From the home page, select
→ → .Add the Administrator group.
You can add existing users to this group now or at a later stage.
You can also allow Azure AD Group Owners to add or modify users in the group. Groups can be manually or dynamically populated by user or a device (see the options under Membership type) and defer to the Azure Administrator. One option is for Cortex XSOAR to populate the group membership as part of a custom playbook for bulk user provisioning.
Click Create.
Repeat these steps for each group required. For example, analyst, read-only user, etc. It is recommended, as a minimum, to create a group for each role.
Create a Non-Gallery application.
From the home page, select
→ .Select Non-gallery application.
Type the name of your application and click Add
The page redirects to the Overview page. Copy the Object ID for future reference.
Assign Groups to the new application.
In the Getting Started section, click Assign users and groups.
Click
→ .Select the groups that you created in step Step 1.
Repeat for all other groups created.
Set up SSO configuration for the application.
In the Set up single sign on field, click Get started.
Click SAML.
In the Basic SAML Configuration section, add the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL).
Use the format
https://
<XSOAR Server FQDN>/saml
To use SP initiated SSO, in the Sign on URL field, add the URL in the format:
https://<XSOAR Server FDQN>/#/login
Users can sign into the Cortex XSOAR login page, an authorization request is sent to Azure, and after authentication, the user is logged in to Cortex XSOAR.
In the User Attributes & Claims section, click the edit icon and add the following attributes and values as required.
Ensure the attribute names match the names in Cortex XSOAR, when defining the instance.
Add a new group, click Add a group claim.
In the Group Claims (Preview) window, select Security groups.
In the Advanced options section, select the Customize the name of the group claim and Emit groups as role claims check boxes.
Click Save.
Copy the additional claims details in text format as these are added when you Configure the SAML 2.0 Integration for Azure.
If you are setting up an SMS integration (such as Twilio) add a new phone attribute new claim to reference users directory phone numbers.
Copy the App Federation Metadata Url, Login URL and Logout URL fields, which are needed to configure the instance in Cortex XSOAR.
(Optional) Add a new certificate.
In the SAML Signing Certificate section, click the edit button.
Click New Certificate.
In the Signing Option field, from the drop down list, select Sign SAML response and assertion.
Click Save.
Ensure the status is active in Section 3.
In section 3, download the Certificate (Base 64) for future use.
Generate a private key for assertion signing. For example type the following command:
openssl genrsa -out saml.key 2048
Save the private key to notepad for later configuration.
You can now add an instance in Cortex XSOAR, as described in Configure the SAML 2.0 Integration for Azure.
Configure the SAML 2.0 Integration for Azure
Configure an instance of SAML 2.0 integration for Microsoft Azure in Cortex XSOAR.
After you have configured Azure to authenticate on Cortex XSOAR, you can then configure an integration instance for SAML 2.0 in Cortex XSOAR.
Create a SAML 2.0 integration instance.
Go to
→ → .Search for SAML 2.0 and click Add instance to configure a new integration.
Add the metadata/URL parameters from Azure to Cortex XSOAR.
Cortex XSOAR field
Azure Portal field
Service Provider Entity ID
Identifier (Entity ID) (Basic SAML Configuration Section)
IdP metadata URL
App Federation Metadata URL (SAML Signing Certificate Section)
Idp SSO URL
Login URL (SAML Signing Certificate section)
The following Azure metadata/URL information has been added to the SAML 2.0 attributes in Cortex XSOAR:
In the following fields, copy the Azure attributes exactly how they appear in Azure (in Azure, go to Attribute to get email field, type
→ ). For example, in thehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
.In this example, we have the following Claim Names:
Cortex XSOAR SAML 2.0 field
Azure Portal Claim Name Examples
Attribute to get username
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Attribute to get email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Attribute to get first name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Attribute to get last name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Attribute to get groups
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Add the phone attribute, if required.
Select the Verify the Idp response signature and add the Idp Public certificate, which you downloaded in step 5.5 in Configure Microsoft Azure to Authenticate Cortex XSOAR).
If your Identity Provider requires signed authentication requests, select Sign request and input the public/private certificate pair generated for Cortex XSOAR.
Select the ADFS and Compress encode URL (ADFS) checkboxes.
In the Service Identifier (ADFS) field, copy the characters after the
appid
value, which can be found at the end of the App Federation Metadata URL (section 3 in SAML Certificate).In the IdP Single Logout URL, from Azure, copy the Logout URL (section 4).
In the Single Logout Service Endpoint add the details in the following format:
https://<cortex xsoar-url>/saml-logout
To verify that the settings are successful, in the instance settings, click Get service provider metadata.
For a full list and descriptions of the fields, see SAML 2.0 Azure Parameters.
If you click Test a bug is issued similar to this:
You need to login with a user to test the instance. It is recommended to test this also on the Azure app, as there are detailed error reports and troubleshooting.
Map the Azure groups to Cortex XSOAR roles.
In Microsoft Azure, select
→ → → → .Copy the Object ID.
For example, we created a group, called XSOAR Administrator.
In Cortex XSOAR, go to
→ → .Create or edit an existing role, as described in Define a Role.
In the SAML Roles Mapping field, type the Object ID that you copied in step Step 2.b
Click Save.
SAML 2.0 Azure Parameters
Describes the SAML 2.0 parameters for Microsoft Azure as an identity provider.
The following table describes the SAML 2.0 parameters for Azure, when adding a new instance in Cortex XSOAR:
Attribute | Description | |
---|---|---|
Name | A name for the integration instance. | |
Service Provider Entity ID | The URL of your Cortex XSOAR server (also known as an ACS URL). In the format: | |
IdP metadata URL | The URL of your organization’s IdP metadata file. Copy this from the App Federation Metadata URL in the SAML Signing Certificate in Azure. | |
IdP metadata file | Your organization’s IdP metadata file. You either need to add the IdP metadata URL or the file. | |
IdP SSO URL | The URL of the IdP application that corresponds to Cortex XSOAR. Copy this from the Login URL field in the SAML Signing Certificate section. | |
Attribute to get username | Attribute in your IdP for the user name. Copy this URL from the User Attributes & Claims section. See step 4.10 (additional claim details) in Configure Microsoft Azure to Authenticate Cortex XSOAR. For example, | |
Attribute to get email | Attribute in your IdP for the user's email address. Copy this URL from the User Attributes & Claims section. See step 4.10 (additional claim details) in Configure Microsoft Azure to Authenticate Cortex XSOAR. For example, | |
Attribute to get first name | Attribute in your IdP for the user's first name. Copy this URL from the User Attributes & Claims section. See step 4.10 (additional claim details) in Configure Microsoft Azure to Authenticate Cortex XSOAR. For example, | |
Attribute to get last name | Attribute in your IdP for the user's last name. Copy this URL from the User Attributes & Claims section. See step 4.10 (additional claim details) in Configure Microsoft Azure to Authenticate Cortex XSOAR. For example, | |
Attribute to get phone | (Optional) Attribute in your IdP for the user's phone number, if available. Copy this URL from the User Attributes & Claims section. See step 4.10 (additional claim details) in Configure Microsoft Azure to Authenticate Cortex XSOAR. For example, | |
Attribute to get groups | Attribute in your IdP for the groups of which the user is a member. Copy this URL from the User Attributes & Claims section. See step 4.10 (additional claim details) in Configure Microsoft Azure to Authenticate Cortex XSOAR. For example, | |
Groups delimiter | Groups list separator. Value: | |
Default role (for IdP users without groups) | Role to assign to the user when they are not a member of any group. For example, | |
RelayState | Only used by certain IdPs. If your IdP uses relay state, you need to supply the relay state. | |
Verify IDP public certificate | The Certificate (Base64) you downloaded in step 5.5 in Configure Microsoft Azure to Authenticate Cortex XSOAR. | |
Sign Request | Method for the IdP to verify the user sign-in request using the IdP vendor certificate. | |
Service Provider Private key (pem format) | Private key for your IdP, in PEM format. Created locally by the user who wants to use SAML. The public key is uploaded to Azure. | |
Do not validate server certificate (insecure) | If you are use a self-signed certificate for the Azure server you can use this checkbox. | |
Use system proxy settings | Select the check box to use proxy settings. | |
ADFS | Whether the server uses ADFS. | |
Compress encode URL (AFDS) | (Manadatory) Select the check box to compress encode URL (AFDS). If not, you may receive a | |
Service identifier (AFDS) | Add the characters after the | |
Don’t map SAML groups to Demisto roles | SAML groups are not mapped to Cortex XSOAR roles. Default roles are assigned and you can select them later. | |
Get service provider metadata | Enables you to verify that the settings are successful. | |
IdP Single Logout URL | This functionality ends the user's session in Azure when logging out. | |
Single Logout Service Endpoint | The URL of the single logout Endpoint. | |
Use this instance for external authentication only | Limits this instance to authenticate external (non-Cortex XSOAR) users when they answer a survey sent via a communication task in a playbook. |