Skip to main content

SAML

note

This guide applies to Spectra Analyze and Spectra Detect Manager.

Identity Provider setup

With your Identity Provider (IdP), create and configure the Spectra application. In this setup, the Spectra appliance is a Service Provider (SP). Depending on the IdP, different values are required to set up an SP. In addition, the SAML response issued by the IdP when logging in to an SP may have different default values.

Information required by the IdP usually involves the following:

  • Entity ID
    • This is the unique identifier of the SP, and is usually based on a URL.
    • For Spectra appliances, Entity ID is configurable (see below).
  • ACS
    • This is the Assertion Consumer Service, or the address where the Identity Provider sends a SAML response.
    • In some providers, this is also called a Reply URL or Single sign-on URL.
    • For Spectra appliances, this is: <Appliance URL>/saml2/acs/
  • Login URL
    • This is not a required field in some Identity Providers.
    • For Spectra appliances, this is: <Appliance URL>/accounts/login/
  • Attribute Statements
    • These are the claims to be sent back to the Service Provider (SP)
    • Required attributes: email and userName (which can also be an email).
    • Optional attributes
  • Group Attribute Statements
    • Some IdPs have a separate setting for groups.
    • It is common to send all groups using a regex like .*. The Service Provider (SP) will then match the relevant groups.

Assign the users who need access to the appliance to one group, and also assign admin users (or Superusers) to an additional group. Then, assign both groups to the Spectra application.

Note: You can create a third group specifically for users you want to explicitly deny access.unts/login/`

After configuring the application in the IdP, export an XML metadata file.

Service Provider setup

In Spectra Analyze: Administration > Configuration > Authentication > User Directory: SAML

In Spectra Detect: Administration > Spectra Detect Manager > Authentication > User Directory: SAML

Within the Spectra appliance, configure the following fields.

Entity ID

Unique identifier for the SP. An example setup would be to use the appliance address + a suffix, such as /sp. For example, https://example.reversinglabs.com/sp.

Federation metadata file

This is the XML file exported from the Identity Provider.

Claim mapping

The values provided here are the attributes (fields) in the Identity Provider’s SAML response that are to be used in the Spectra appliance. These can have different values, depending on how you configure them on the IdP. Username and E-mail are required fields.

For example, if you have the following attributes in your IdP:

  • userName
  • email
  • groups

...add them in this section. You can also use a single attribute to populate several fields in the Spectra appliance. For example, if you have an email attribute in your IdP, you can list email twice here: once for the username, and once for the email. The remainder of the fields can be left blank.

Multiple users can share the same email attribute. If that is the case, email can't be used for a username because a username must be unique. Usernames are also case-insensitive: for example, if a user "john" exists, another user "John" can't be added.

User access

In this section, set one or more group IDs which correspond to specific actions or permissions you wish to enforce. For example, if you set up a Superuser flag group called manager-admin and add certain users to that group within your Identity Provider, then only those users will have superuser (admin) privileges on the appliance.

Certain Identity Providers don’t expose the names of groups, and instead use an ID like this one: bcbd79b7-784f-43f2-af70-4dd67cbbc463. In these cases, use that instead of the group name.

note

When using groups, Superusers must also be included in a regular user group (Active or Require). The Active and Require groups function the same way, so you do not need to use both.

Allow unsolicited responses from IdP

There are two ways of logging in using SAML:

  1. Going to the appliance login page and clicking Login Using SSO.
  2. Opening the Identity Provider’s dashboard and logging in to the appliance from there.

If you wish to enable logging in from a dashboard, mark this checkbox.