Entra ID (Azure AD) SAML (RUX)
Please note!!
This article is ONLY for customers using Vectra's Respond UX (RUX) to configure SAML SSO with Azure AD.
If you are configuring Azure AD SAML for the Quadrant UX, please see Setup SAML SSO for Azure AD (Quadrant UX) instead of this article.
While similar, there are some differences in the implementation for customers using the Quadrant UX. The Respond UX requires different SAML claims than the Quadrant UX when setting up SAML . If you are unsure which UX you are using, please see: Vectra Analyst User Experiences (Respond vs Quadrant) for more information.
Multiple SAML Profile Support
Vectra now supports multiple SAML profiles. Not all customers will require this, and NO changes are required for existing single IdP SAML configurations.
Please note:
Existing customers do NOT need to do anything if they will continue to only have a single SAML IdP configured.
Any new profile that is added, for new or existing customers, will now need to have a "Domains" list configured as part of the Vectra SAML profile.
If you add a 2nd profile to an existing deployment that did NOT have a "Domains" list configured previously, you MUST edit that existing profile to add the domains that should be mapped for that IdP.
Nothing changes on the IdP side of the configuration.
When multiple profiles are configured, users will be asked to enter their email address to be redirected to the appropriate IdP when they click "Login with SSO" on the Vectra login screen.
SAML 2.0-based Single Sign-On to the Respond UX
Customers can setup SSO federation to multiple SAML 2.0-based identity providers (IdP).
For most customers, only a single IdP is required.
Once federated, already authenticated users will have one-click login in to the Vectra Respond UX.
If multiple IdPs are configured, and the user is not already authenticated, the user will need to enter their email address so the domain name mapping can direct the user to the appropriate IdP.
Features like password policies and multi-factor authentication will be enforced by the IdP.
Once authenticated, users are assigned the Vectra role defined for their user or group in the IdP.
This will map to a role (and permissions) as defined in the Vectra UI.
SAML SSO Support for the Respond UX - Notes of Interest
Please ensure the users are only mapped to one Vectra Role in the IdP.
At this time, if a user is mapped to more than 1 role in the IdP, the user may not successfully log in with the desired role.
IdP initiated flows are NOT supported.
While these flows may work, they are not recommended because they are highly susceptible to Man-in-the-Middle attack using stolen SAML assertions.
Single Log Out (SLO) and IdP initiated log out are not supported.
When a user logs out of the Respond UX, they are taken to a screen where they can log in locally or click a link to "Log in via SSO".
At this time, a user who successfully authenticates through their IdP to Vectra will have a session that is good for one day.
Local user login that bypasses the SAML flow is still available by adding "/signIn?local=True" to the end of your Respond UX login URL.
An example looks like this: https://[unique_customer_id].uw2.portal.vectra.ai/signIn?local=True
If you are publishing the URLs of applications used in your environment on a dedicated app/page - you can publish the URL associated with the "Login with SSO" link instead to ensure users always use this path
Token Encryption is currently NOT supported
SAML Service Provider (SP) Initiated Flow
This example flow diagram uses Azure as the IdP but SSO should work with any SAML 2.0 compliant IdP.
Please note that all communication that is associated with the SAML login process is brokered by the User Agent (user's browser). Vectra never needs to communicate with the IdP during authentication.
Vectra does communicate with the IdP to retrieve the required federation metadata during configuration and refreshes that metadata periodically to ensure new certificates are ingested from the IdP when expiration is near.
Begin Configuration in Vectra UI
First we'll need to create the SAML Authentication Profile.
Additional profiles can be configured if multiple IdPs are required for your deployment.
Open a new browser tab and log in as you normally do and navigate to Configuration > Access > External Authentication.
Click on “Create” in the SAML Profiles section.
A dialog will open and the SP ACS URL and SP Entity Provider will be displayed there for entry into the corresponding fields in the IdP. Make note of these values for later use with your IdP.
The SP is the Service Provider (Vectra SaaS)
Please Note!
Not every IdP uses the same terminology to refer to these fields.
As an example, in Azure AD Vectra's "SP Entity Provider" URI should be used for the Azure "Identifier (Entity ID)" and Vectra's "SP ACS URL" should be used for the Azure "Reply URL (Assertion Consumer Service URL)".
Leave this tab in your browser open and proceed in another tab or window to your IdP configuration so that you can retrieve the IdP Metadata URL needed to complete the Vectra SaaS configuration.
Configuring the Azure AD Application for Vectra SaaS
Select “Enterprise applications” from AzureAD.
Click the "+ New application" button.
Click the "+ Create your own application" button (this is not a Gallery application).
Give it a name like "Vectra SSO" or any name you desire.
Use the "Integrate any other application you don't find in the gallery option".
Click "Create" at the bottom of the dialog.
Select “Single sign-on" from left or "Set up single sign on" from the Getting Started section.
Select “SAML” from the single sign-on method list.
"Edit" the Basic SAML configuration in the newly created Azure application.
Vectra's "SP Entity Provider" URI should be used for the Azure "Identifier (Entity ID)".
Vectra's "SP ACS URL" should be used for the Azure "Reply URL (Assertion Consumer Service URL)".
The rest of the Basic SAML Configuration can be left blank.
Click the "Save" button at the top of the Basic SAML Configuration window.
After this is saved, you can close the window. You will be asked if you want to test now. Select "No, I'll test later".
If you are still in your app and the SAML Single Sign-On area, scroll down to box 3 (SAML Signing Certificate).
If not Go to "Enterprise Applications" in the Azure AD portal, find and select your app you have configured for SAML use, in the Manage section, select Single sign-on to open the Single sign-on pane, in the SAML Signing Certificate section, find the App Federation Metadata Url.
The "App Federation Metadata URL" will need to be copied from here for use in the Vectra UI to complete the configuration.
Configure the Role Claims in Azure AD
As per SAML 2.0 SSO using any IdP for Vectra SaaS the following claims will need to be configured in Azure AD:
emailaddress- Can be mapped to "user.mail" in Azure AD.This will need to be email address of the user that you will allow into Vectra SaaS.
name- Can be mapped to "user.displayname" in Azure AD.The display name of the user you wish to map.
role- Can be mapped to "user.assignedroles" in Azure AD.This will be the standardized name of the Vectra SaaS role for the user.
Please note that only a single value is accepted for this value. If multiple roles are sent, the 1st one Vectra sees will be assumed to be the correct role to map the user to.
These claims must be named exactly as you see in bold above.
These claims must not have a Namespace assigned. The default one must be removed.
As an example we will configure the the "user.assignedroles" claim below.
Configure the other claims in a similar manner.
In you Azure AD tab, select "Edit" in section 2 "User Attributes & Claims".
Select "Add a new claim".
Please note that the any default claims that MS has included are NOT required for Vectra.
The only claims that Vectra requires are the "emailaddress", "name", and "role" claims that were mentioned previously.
Enter "role" in the "Name" section.
For “Source attribute”, select “user.assignedroles”.
Save the claim.
When done, you should have a set of claims that contains at least the required claims shown above:
Next we will "App roles" in your newly created App
In the Azure AD Admin Center
Select "Azure Active Directory"
Select "App Registrations"
Select "All Applications"
Select your newly created application
Select "App roles" from the sidebar
Back in your Vectra tab, navigate to the Configuration > Access > Roles screen
Click on each role that your SAML users will be using and make note of the specific Standardized Name for each role
For example, the Security Analyst role has a Standardized name of "security_analyst"
Back in the Azure AD App roles tab, add a new entry for each role in Vectra
If you see default roles from Microsoft of "User" and "msiam_access" these can be ignored
Create new App roles using the "+ Create app role" button for each role that you will have users or groups assigned to in Vectra
Be sure to use the Standardized Name for the "value" field that you collected previously
The "Display name" and "Description" can be anything that you want to refer to inside the IdP for the Detect roles you will be assigning to your users
Assign Users and Groups to Roles in your Azure AD Application
In the Azure Active Directory pane, select Enterprise applications from the Azure Active Directory left-hand navigation menu.
Select All applications to view a list of all your applications.
Select your newly create Vectra SaaS SAML application.
Select the "Users and groups" from the sidebar or "Assign users and groups" from the panes.
Select the "+ Add user" button.
Add a user.
Choose a role that you just added to the Manifest
The users and groups you have configured will show as below
Completing Configuration in the Respond UX
After Azure AD IdP configuration and copying the IdP Metadata URL you can complete the configuration back in the Respond UX.
Switch back to the browser tab or window with your Respond UX.
Paste the IdP Metadata URL into the "Create SAML Profile" dialog box.
Fill in the "Profile Name" with a name of your choice.
Fill in the "Domains" field with the domains that should map to the SAML IdP you are configuring.
When multiple SAML profiles are configured, users will enter an email address after clicking "Login with SSO".
Based on the user input and mapped domains, the user will be redirected to the appropriate IdP for authentication and then redirected back to Vectra with a SAML assertion.
Click "Create".
Your SAML profile is now complete and will show in the Respond UX. Clicking on it will show the details similar to the below (this will vary by vendor and details provided).
As you can see above, the Profile Name and Domains list can be edited for profiles that have already been configured.
You can click the "View" link on a profile in the SAML Profiles list in your UI to get back to this screen.
Testing
Once configuration is complete on both the Service Provider (Vectra) and IdP side, you are ready to test SAML SSO to Vectra.
Keep in mind that only users and groups who are mapped to standardized Vectra role names in your IdP will succeed.
Click the "Login with SSO" button on the login page for your Vectra SaaS tenant.
If you are already authenticated to your IdP, and have a mapping to a standardized role that exists in Vectra, you should be logged in without requiring any additional steps.
If you are need to authenticate to your IdP, you will be asked for a email address when multiple profiles are configured and redirected to your IdP for authentication and then redirected back to Vectra and presented the UI mapped role permissions applied.
Attachments
Last updated
Was this helpful?