Configure user authentication for a communication task.
To ensure that only authorized users gain access to the form you sent, configure user authentication for the communication task.
The main use case is for external users. These are users who are not users in Cortex XSOAR. Upon authentication, external users will have access only to the form that is sent to them. They will not be able to access anything else in Cortex XSOAR.
Note
If you are using Active Directory and after following these instructions you see the error message could not find a provider to authenticate with, go to → → and add the following server configuration.
Key | Value |
---|---|
active.directory.auth.external.instance |
|
Set up your idP (for example, Okta) with a dedicated group for your external users who you want to authenticate.
Create the authentication integration. Currently, Cortex XSOAR supports SAML and Active Directory.
For the SAML integration, in the Service Provider Entity ID field, enter the URL of the server followed by /external-saml. For example, for external users:
https://localhost:8443/external-saml
.For the Active Directory integration, enter the relevant groups for the external users.
If using an engine to submit the form, use the URL of the engine, not the server.
If using an engine in a mulit-tenant environment, add the following to the d1.conf file:
saml.engine.redirect.to.<host name of the engine/host name of the server which the IDP redirects to>
.In the Task details of your communication task in your playbook, enable the Require users to authenticate option to have your SAML or AD authenticate the recipient before allowing them access to the form.
Note
By default, validation is turned on, to confirm that the user listed in the To field matches the user accessing the form. If you need to send forms to multiple email addresses or to a distribution list, add the server configuration key
external.form.validate.user
with the valuefalse
. All users in the dedicated group are able to access the form, but individual email addresses are not validated.