Any IdP SAML (QUX)

• Setup SAML SSO with any IdP (Respond UX)

• Setup SAML SSO with Azure AD (Respond UX)

• Setup SAML SSO with Okta (Respond UX)

Quadrant UX SAML Deployment Guides

Vectra supports the SAML 2.0 standard and has tested, supports, and provided specific guidance for configuration of Azure AD, Okta, Ping, and ADFS with the Quadrant UX. Other IdPs should work but are not officially supported. The following articles provide specific guidance for each of those supported IdPs for the Quadrant UX:

• Setup SAML SSO with Azure AD (Quadrant UX)

• Setup SAML SSO with Okta (Quadrant UX)

• Setup SAML SSO with ADFS (Quadrant UX)

• Setup SAML SSO with Ping Identity (Quadrant UX)

It may be useful for you to review the above articles to see how claim creation and role mapping work in other IdPs to gain insight into configuration for your IdP.

SAML 2.0-based Single Sign-On to the Vectra Platform

• Customers can setup SSO federation to a SAML 2.0-based identity provider.

• Once federated, already authenticated users will get automatically logged in to the Quadrant UX.

• Unauthenticated users will get redirected to their IdP’s login portal.

• Features like password policies and multi-factor authentication will be enforced by the IdP.

• Once authenticated, users are assigned the application role defined in the IdP.

  • This will map to a role (and permissions) defined in the Quadrant UX.

SAML SSO Support for Detect - Notes of Interest

• Local login using username/password after SAML configuration is still supported via a different URL constructed as follows:

  • https**:**//<ip_or_hostname>/accounts/login/?local=True

• Please ensure the users are only mapped to one Vectra Role in the IdP.

  • If a user is mapped to more than 1 role, the user may not be assigned the preferred role.

  • This can cause HTTP 500 errors on the GUI when these users log in.

• IdP initiated flows are NOT supported.

  • While these flows may work, they are not recommended because they are highly susceptible to Man-in-the-Middle attack using stolen SAML assertions.

• Single Log Out (SLO) and IdP initiated log out are not supported.

  • When a user logs out of the Detect UI, they are taken to a screen where they can log in locally or click a link to "Log in via SSO".

• API keys are not supported for SAML users.

  • For API use, Vectra recommends local accounts authenticated locally or against external authentication sources such as RADIUS, LDAP, or TACACS+.

• The SessionNotOnOrAfter SAML parameter is supported to invalidate user sessions and require a user to re-authenticate.

SAML Service Provider (SP) Initiated Flow

• This example flow diagram uses Azure as the IdP but SSO should work with any SAML 2.0 compliant IdP.

• Please note that all communication is brokered by the User Agent (user's browser). Vectra never needs to communicate with the IdP.

Steps to integrate a SAML 2.0-based IdP with Vectra

• First we'll need to create the SAML Authentication Profile.

• Open a new browser tab and log in as you normally do and navigate to Manage > External Authentication

• Click on “Create” in the SAML Profiles section

• A dialog will open and the SP ACS URL and SP Entity Provider will be displayed there for entry into the corresponding fields in the IdP.

  • The SP is the Service Provider (Vectra)

• Some customer situations require hostname based entries instead of IP based entries for the SP ACS URL and SP Entity Provider. Vectra supports both. Which type is populated here is controlled by a setting in Settings > General > Brain in the Vectra Platform (Brain) UI:

  • If you have a configured DNS name for your platform and check the "DNS Name" radio button for the "For linking in alerts/notifications (except AWS SecurityHub)" section, this will populate the SP entries using hostname instead of IP.

  • Please also note that the "DNS Name" should be in lowercase in this area and any place you see it in your IdP.

IdP Configuration Guidance

The specific steps for configuration with your IdP differ from provider to provider.

• Use the SP ACS URL and SP Entity Provider from the previous step to identify your Vectra platform as a Service Provider in your IdP.

• Required Claims that you will need to setup in your IdP:

  • PLEASE NOTE: The URLs are the claim names required to be configured at your IdP.

  • http**://schemas.xmlsoap.**org/ws/2005/05/identity/claims/name

    • This will need to be the username or email of the user that you wish to see in Vectra.

    • This nameID must be sent in the SAML subject - most IdPs default to this configuration, but some will need it to be explicitly configured.

  • https**://schema.vectra.**ai/role

    • This will be the standardized name of the Vectra role for the user.

    • Please note that only a single value is accepted for this value. If multiple roles are sent, the 1st one Vectra sees will be assumed to be the correct role to map the user to.

• Vectra will require the IdP metadata file in XML format.

  • It must include both the metadata and the X.509 format signing certificate.

• Users and Groups will need to be mapped to the Vectra standardized roles in your IdP

  • Only map users and groups that you wish to have access to the Vectra UI.

  • To see the standardized role names in the Vectra UI, navigate to the Manage > Roles screen

• Click on each role that your SAML users will be using and make note of the specific Standardized Name for each role

  • For example, the Security Analyst role has a Standardized name of "security_analyst"

• Default standardized role names are as follows:

  • admins

  • read_only

  • restricted_admins

  • security_analyst

  • setting_admins

  • super_admins

• Any custom roles that you define will have their own unique standardized role names that can be used as well.

Completing Configuration in the Vectra UI

• After IdP configuration and downloading the IdP Metadata XML file you can complete the configuration in the Vectra UI.

• Click "Select a file" next to "Upload IDP Metadata XML File" in the "Create SAML Profile" window

• Fill in the "Profile Name" with "Azure AD" or any name you desire

• Click "Create"

Testing

• Once configuration is complete on both the Service Provider (Vectra) and IdP side, you can test SSO by simply browsing to your normal login URL for Vectra.

  • If you are already authenticated to your IdP, and have a mapping to a standardized role that exists in Vectra, you should be logged in without requiring any additional steps.

  • If you are need to authenticate to your IdP, you will be redirected to your IdP for authentication and the redirected back to Vectra.

• Local login using username/password after SAML configuration is still supported via a different URL constructed as follows:

  • https**:**//<ip_or_hostname>/accounts/login/?local=True

  • For users not participating in SSO, please ensure they have this new URL to login to Vectra.

• After login, you can see your status under My Profile

• If you have rights to the Manage > Users screen, you can see all user logins: