Any IdP SAML (QUX)

Enabling QUX (Quadrant UX) SAML SSO with any SAML 2.0 compliant Identity Provider (IdP).

Please Note:

This article is ONLY for customers setting up SAML SSO with any IdP using Vectra's Quadrant UX (QUX) .

While similar, there are some differences in the implementation for customers using the Respond UX. If you are unsure which UX you are using, please see: Vectra Analyst User Experiences (Respond vs Quadrant) for more information.

The Quadrant UX requires different SAML claim names than the Respond UX when setting up SAML 2.0 based SSO but the claim creation process in the IdP is similar. If you need SAML setup instructions for RUX deployments see the below.

Respond UX Specific SAML articles:

Introduction

Customers can setup SSO federation to multiple SAML 2.0-based identity providers (IdP).
- For most customers, only a single IdP is required.
Once federated, already authenticated users will have one-click login in to the Vectra Quadrant UX.
Unauthenticated users will get redirected to their IdP’s login portal.
If multiple IdPs are configured, and the user is not already authenticated, the user will need to enter their email address so the domain name mapping can direct the user to the appropriate IdP.
Features like password policies and multi-factor authentication will be enforced by the IdP.
Once authenticated, users are assigned the Vectra role defined for their user or group in the IdP.
- This will map to a role (and permissions) as defined in the Vectra Quadrant UX UI.

Multiple SAML Profile Support

Vectra now supports multiple SAML profiles in private preview. Not all customers will require this, and NO changes are required for existing single IdP SAML configurations. If you are interested in this feature prior to it's planned general availability in the v9.10 release, please ask your Vectra account team.

Please Note:

Existing customers do NOT need to do anything if they will continue to only have a single SAML IdP configured.
Any new profile that is added, for new or existing customers, will now need to have a Domains list configured as part of the Vectra SAML profile.
If you add a 2nd profile to an existing deployment that did NOT have a Domains list configured previously, you MUST edit that existing profile to add the Domains mapping for that IdP.
Nothing changes on the IdP side of the configuration.
When multiple profiles are configured, users will be asked to enter their email address to be redirected to the appropriate IdP when they click Login with SSO on the Vectra login screen.

QUX SAML SSO - Notes of Interest

Please ensure the users are only mapped to one Vectra Role in the IdP.
- At this time, if a user is mapped to more than 1 role in the IdP, the user may not successfully log in with the desired role.
IdP initiated flows are NOT supported.
- While these flows may work, they are not recommended because they are highly susceptible to Man-in-the-Middle attack using stolen SAML assertions.
The SessionNotOnOrAfter SAML parameter is supported to invalidate user sessions and require a user to re-authenticate.
Single Log Out (SLO) and IdP initiated log out are NOT supported.
- When a user logs out of the Quadrant UX, they are taken to a screen where they can log in locally or click a link to Log in via SSO.

At this time, a user who successfully authenticates through their IdP to Vectra will have a session that is good for one day.
Local login is still possible after SAML configuration:
- Construct a login URL as shown below.
- https//<ip_or_hostname>/accounts/login/?local=True
API keys are not supported for SAML users.
- For API use, Vectra recommends local accounts authenticated locally or against external authentication sources such as RADIUS, LDAP, or TACACS+.
Token Encryption is currently NOT supported.

SAML Service Provider (SP) Initiated Flow

This example flow diagram uses Azure as the IdP but SSO should work with any SAML 2.0 compliant IdP.
Please note that all communication is brokered by the User Agent (user's browser). Vectra never needs to communicate with the IdP.

Configuration

First we'll need to start creating the SAML Authentication Profile.
- Additional profiles can be configured if multiple IdPs are required for your deployment.
Open a new browser tab, log in as you normally do, and navigate to Configuration → ACCESS → External Authentication.
Click on Create in the SAML Profiles section.

A dialog will open and the SP ACS URL and SP Entity Provider will be displayed there for entry into the corresponding fields in the IdP. Make note of these values for later use with your IdP. The SP is the Service Provider (your Vectra QUX deployment in this case).

Please Note:

Not every IdP uses the same terminology to refer to these fields.
As an example, in Entra ID, Vectra's SP Entity Provider URI should be used for the Azure Identifier (Entity ID) and Vectra's SP ACS URL should be used for the Azure Reply URL (Assertion Consumer Service URL).

Leave this tab in your browser open and proceed in another tab or window to your IdP configuration so that you can configure the IdP side and retrieve the required metadata XML file needed to complete the Vectra configuration.

Please Note:

If you want a hostname-based entry instead of IP-based entry for the SP ACS URL and SP Entity Provider, then you should:

Configure in Vectra the Brain FQDN, in Configuration → COVERAGE → Data Sources → Network → Brain Setup → Brain → DNS Name.
Check the DNS Name radio button for the For linking in alerts/notifications (except AWS SecurityHub) section.
This will populate the SP entries using hostname instead of IP.

Please Also Note:

The DNS Name should be in lowercase in this area and any place you see it in your IdP.]

IdP Configuration Guidance

The specific steps for configuration with your IdP differ from provider to provider.

Use the SP ACS URL and SP Entity Provider from the previous step to identify your Vectra platform as a Service Provider in your IdP.

Required Claims that you will need to setup in your IdP:

Please Note:

The REQUIRED claim names to be configured at your IdP look like URLs but they are NOT URLs. Please enter the claim names exactly as shown below in your IdP.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
- This will need to be the username or email of the user that you wish to see in Vectra.
- This nameID must be sent in the SAML subject - most IdPs default to this configuration, but some will need it to be explicitly configured.
https://schema.vectra.ai/role
- This will be the standardized name of the Vectra role for the user.
- Please note that only a single value is accepted for this value. If multiple roles are sent, the 1st one Vectra sees will be assumed to be the correct role to map the user to.

Additional IdP Guidance:

Vectra REQUIRES the IdP metadata file in XML format.
- It must include both the metadata and the X.509 format signing certificate.
Users and Groups need to be mapped to the Vectra standardized roles in your IdP
- Only map users and groups that you wish to have access to the Vectra UI.
- To see the standardized role names in the Vectra UI, navigate to the Configuration → ACCESS → Roles screen
Click on each role that your SAML users will be using and make note of the specific Standardized Name for each role
- For example, the Security Analyst role has a Standardized name of security_analyst.

Default standardized role names are as follows:
- admins
- read_only
- restricted_admins
- security_analyst
- setting_admins
- super_admins
Any custom roles that you define will have their own unique standardized role names that can be used as well.
After IdP configuration and downloading the IdP Metadata XML file you can complete the configuration in the Vectra UI.
Click Select a file next to Upload IDP Metadata XML File in the Create SAML Profile window.
Fill in the Profile Name with a name.
Fill in the Domains field with the domains that should map to the SAML IdP you are configuring.
- For example, if you username is user@company.com, then you would enter company.com.
- When multiple SAML profiles are configured, users will enter an email address after clicking Login with SSO.
- Based on the user input and mapped domains, the user will be redirected to the appropriate IdP for authentication and then redirected back to Vectra with a SAML assertion.
Click Create.

Testing

Once configuration is complete on both the Service Provider (Vectra) and IdP side, you are ready to test SAML SSO to Vectra.
- Keep in mind that only users and groups who are mapped to standardized Vectra role names in your IdP will succeed.
Click the Login with SSO button on the login page for your Vectra QUX deployment.

If you are already authenticated to your IdP, and have a mapping to a standardized role that exists in Vectra, you should be logged in without requiring any additional steps.
If you are need to authenticate to your IdP, you will be asked for a email address when multiple profiles are configured and redirected to your IdP for authentication and then redirected back to Vectra and presented the UI with your mapped role permissions applied.

Please Note:

After SAML configuration, local login using username/password is still supported via a different URL constructed as follows:

https//<ip_or_hostname>/accounts/login/?local=True
For users not participating in SSO, please ensure they have this new URL to login to Vectra.

After login, you can see your status under My Profile.

If you have rights to the Configuration → ACCESS > Users screen, you can see all user logins.
- SAML users are shown with a SAML: prefix.
- SAML users are not locally defined in your Vectra deployment, they exist in the IdP and the configuration allows them to login to your Vectra deployment.

PreviousSAML SSO (QUX)NextADFS SAML (QUX)

Last updated 3 months ago

Was this helpful?