In order to use an SSO vendor to log in to a USM Anywhere instance you need to create a new SSO configuration.
Only users with manager role will be able to create, edit and delete SSO configurations
Configuration
1. Go to Settings > Single Sign On.
2. Click New SSO.
The Add New SSO Configuration dialog box opens.
3. Enter the SSO configuration provided by your SSO vendor:
SSO Name: You can enter the name you want, this name will be shown on the Login page.
Identity ID: The vendor provides you with this information
Single Sign-On URL Endpoint: The vendor provides you with this information
Public Key: The vendor provides you with this information
4. Click Save.
5. An SSO Confirmation dialog opens. Click the checkbox to confirm your changes and click Confirm.
6. A new configuration has been created
7. The system will be restarted to apply your changes. After the system restart you can go to the Login page and see your new SSO configuration
8. Go back to the Single Sign On page and click in the View button for your newly created SSO integration
9. Use this information on this screen to configure the SAML information in your SSO vendor’s portal. The most important field is “Single Sign-On URL” the rest may be optional depending on your SSO vendor.
10. (Optional) If you want to encrypt the assertions use the certificate clicking in Show more.
11. (Optional) Go to Single Sign On page and click in the Edit button. The Edit SSO Configuration dialog box opens.
12.(Optional) If you need it, enable SAML Mapping. The mapping will depend on the information that is sent in your SSO vendor assertions.
You will have to add the value you use in your vendor if it does not correspond to the following:
Email: email
Name: fullName
Role: roles
Add role name mapping if you use roles other than USM Anywhere roles (You can add more than one role for a type, each entry has to be added by pressing enter). Roles Type from USM Anywhere:
Manager
Analyst
Read Only
Investigator
If a user does not have a role assigned that maps to USM Anywhere’s roles, the user will be assigned the “Read Only” role.
13. (Optional) Enable SSO Required option. Go to Settings > System > SSO settings. If this option is enabled, it forces all users to use the SSO to login. (Manager users can always login using their user/password) (Available from version 7.76)
Login using SSO
1. Go to the Login page and click on the new option Login with <SSO name> found at the bottom of the page
2. You will be redirected to your SSO vendor’s page.
3. Once authenticated by the SSO vendor you will be redirected to the USM Anywhere home page.
User management
The following aspects must be taken into account when using SSO service:
Manager users can always login using their username and password. (Available from version 7.76)
If a non-manager user uses SSO he will no longer be able to use username and password.
When a user uses SSO to login, the user's role will be set according to the mapping configured between the SSO vendor roles and the USM roles. If no role is defined or mapped accordingly, the user will be assigned the Read Only role.
If the SSO configuration is deleted, all users will be able to use the username and password again. If they did not have it because the user was created directly from the SSO, you can send the reset password email to obtain it. (Available from version 7.76)
Example of how to configure Okta
This document explains how to create a SAML 2.0 Application in Okta to integrate with the BYO SSO service in USM Anywhere
Instructions
Follow the next step to create a new app in Okta
1. Log into Okta as an Admin and go to the Admin UI and navigate to Applications
2. Click on “Create App Integration“ and select SAML 2.0 option
3. Specify a name and add a logo image if you want
4. Click next. Fill in the following fields with a placeholder (e.g.: https://google.es). Later we will fill them with the fields returned by the app.
Single sign-on URL
Audience URI (SP Entity ID)
5. Add the following attributes. These are the attributes that USM Anywhere uses by default:
6. Click next and Finish
7. Go to the Sign On tab and click the View SAML setup instructions button on the right.
8. Copy the URLs information and the public certificate
9. Go to the USM Anywhere instance and create a new SSO configuration. Use the information from the previous step to create the configuration.
10. Click Save and click the view icon to get the information to fill in OKTA.
11. Back to the General tab and click Edit in the SAML Setting. Click next and fill in the fields from the previous step information.
12. (OPTIONAL) Click on Show Advanced Settings. Put the Assertion Encryption field as Encrypted and update a file with the certificate in the Encryption Certificate field. You need to use the certificate that is shown in the view dialog in the SSO page in your USM Anywhere
13. Click next and Finish
14. Go to the Assignments tab and assign the app to the desired users
