Entra ID (Azure AD) SAML (RUX)

Introduction

• Customers can setup SSO federation to multiple SAML 2.0-based identity providers (IdP).

  • For most customers, only a single IdP is required.

• Once federated, already authenticated users will have one-click login in to the Vectra Respond UX.

  • If multiple IdPs are configured, and the user is not already authenticated, the user will need to enter their email address so the domain name mapping can direct the user to the appropriate IdP.

• Features like password policies and multi-factor authentication will be enforced by the IdP.

• Once authenticated, users are assigned the Vectra role defined for their user or group in the IdP.

  • This will map to a role (and permissions) as defined in the Vectra UI.

Multiple SAML Profile Support

Vectra now supports multiple SAML profiles. Not all customers will require this, and NO changes are required for existing single IdP SAML configurations.

RUX SAML SSO - Notes of Interest

• Please ensure the users are only mapped to one Vectra Role in the IdP.

  • At this time, if a user is mapped to more than 1 role in the IdP, the user may not successfully log in with the desired role.

• IdP initiated flows are NOT supported.

  • While these flows may work, they are not recommended because they are highly susceptible to Man-in-the-Middle attack using stolen SAML assertions.

• Single Log Out (SLO) and IdP initiated log out are NOT supported.

  • When a user logs out of the Respond UX, they are taken to a screen where they can log in locally or click a link to Log in via SSO.

• At this time, a user who successfully authenticates through their IdP to Vectra will have a session that is good for one day.

• Local user login that bypasses the SAML flow is still available by adding /signIn?local=True to the end of your Respond UX login URL.

  • Example: https://[unique_customer_id].uw2.portal.vectra.ai/signIn?local=True

  • If you are publishing the URLs of applications used in your environment on a dedicated app/page, you can publish the URL associated with the Login with SSO link to ensure users always use this path

• Token Encryption is currently NOT supported.

SAML Service Provider (SP) Initiated Flow

• Please note that all communication that is associated with the SAML login process is brokered by the User Agent (user's browser). Vectra never needs to communicate with the IdP during authentication.

  • Vectra does communicate with the IdP to retrieve the required federation metadata during configuration and refreshes that metadata periodically to ensure new certificates are ingested from the IdP when expiration is near.

Create SAML Profile in Vectra

• First we'll need to create the SAML Authentication Profile.

  • Additional profiles can be configured if multiple IdPs are required for your deployment.

• Open a new browser tab and log in as you normally do and navigate to Configuration → ACCESS → External Authentication.

• Click on Create in the SAML Profiles section.

• A dialog will open and the SP ACS URL and SP Entity Provider will be displayed there for entry into the corresponding fields in the IdP. Make note of these values for later use with your IdP.

  • The SP is the Service Provider (Vectra SaaS)

• Leave this tab in your browser open and proceed in another tab or window to your IdP configuration so that you can retrieve the IdP Metadata URL needed to complete the Vectra SaaS configuration.

Configuring the Azure AD Application for Vectra SaaS

• Select Enterprise applications from AzureAD.

• Click the + New application button.

• Click the + Create your own application button (this is not a Gallery application).

• Give it a name like Vectra SSO or any name you desire.

• Use the Integrate any other application you don't find in the gallery option.

• Click Create at the bottom of the dialog.

• Select Single sign-on from the left or Set up single sign on from the Getting Started section.

• Select SAML from the single sign-on method list.

• Edit the Basic SAML configuration in the newly created Azure application.

• Vectra's SP Entity Provider URI should be used for the Azure Identifier (Entity ID).

• Vectra's SP ACS URL should be used for the Azure Reply URL (Assertion Consumer Service URL).

• The rest of the Basic SAML Configuration can be left blank.

• Click the Save button at the top of the Basic SAML Configuration window.

• After this is saved, you can close the window. You will be asked if you want to test now. Select No, I'll test later.

• If you are still in your app and the SAML Single Sign-On area, scroll down to box 3 (SAML Signing Certificate).

  • If not Go to Enterprise Applications in the Azure AD portal, find and select your app you have configured for SAML use, in the Manage section, select Single sign-on to open the Single sign-on pane, in the SAML Signing Certificate section, find the App Federation Metadata Url.

• The App Federation Metadata URL will need to be copied from here for use in the Vectra UI to complete the configuration.

Configure the Role Claims in Azure AD

• As per SAML 2.0 SSO using any IdP for Vectra SaaS the following claims will need to be configured in Azure AD:

  • emailaddress - Can be mapped to user.mail in Entra ID.

    • This will need to be email address of the user that you will allow into Vectra SaaS.

  • name - Can be mapped to user.displayname in Entra ID.

    • The display name of the user you wish to map.

  • role - Can be mapped to user.assignedroles in Entra ID.

    • This will be the standardized name of the Vectra SaaS role for the user.

    • Please note that only a single value is accepted for this value. If multiple roles are sent, the 1st one Vectra sees will be assumed to be the correct role to map the user to.

  • These claims must be named exactly as you see in bold above.

• As an example we will configure the the user.assignedroles claim below.

  • Configure the other claims in a similar manner.

• In you Azure AD tab, select Edit in section 2 User Attributes & Claims.

• Select Add a new claim.

• The only claims that Vectra requires are the emailaddress, name, and role claims that were mentioned previously.

• Enter role in the Name section.

• For Source attribute, select user.assignedroles.

• Save the claim.

When done, you should have a set of claims that contains at least the required claims shown above:

• Next we will App roles in your newly created App.

• In the Azure AD Admin Center.

• Select Azure Active Directory.

• Select App Registrations.

• Select All Applications.

• Select your newly created application.

• Select App roles from the sidebar.

• Back in your Vectra tab, navigate to the Configuration → ACCESS → Roles screen

• Click on each role that your SAML users will be using and make note of the specific Standardized Name for each role

  • For example, the Security Analyst role has a Standardized name of security_analyst .

• Default app roles are included as an attachment below

• Back in the Azure AD App roles tab, add a new entry for each role in Vectra.

• If you see default roles from Microsoft of User and msiam_access these can be ignored.

• Create new App roles using the + Create app role button for each role that you will have users or groups assigned to in Vectra.

• Be sure to use the Standardized Name for the Value field that you collected previously.

• The Display name and Description can be anything that you want to refer to inside the IdP for the Detect roles you will be assigning to your users.

Assign Users and Groups to Roles in your Entra ID Application

• In the Entra ID Directory pane, select Enterprise applications from the left-hand navigation menu.

• Select All applications to view a list of all your applications.

• Select your newly create Vectra SaaS SAML application.

• Select the Users and groups from the sidebar or Assign users and groups from the panes.

• Select the + Add user button.

• Add a user.

• Choose a role that you just added to the Manifest.

• The users and groups you have configured will show as below.

Completing Configuration in the Respond UX

• After IdP configuration and copying the IdP Metadata URL you can complete the configuration back in the Respond UX.

• Switch back to the browser tab or window with your Respond UX.

• Paste the IdP Metadata URL into the Create SAML Profile dialog box.

• Fill in the Profile Name with a name of your choice.

• Fill in the Domains field with the domains that should map to the SAML IdP you are configuring.

  • When multiple SAML profiles are configured, users will enter an email address after clicking Login with SSO.

  • Based on the user input and mapped domains, the user will be redirected to the appropriate IdP for authentication and then redirected back to Vectra with a SAML assertion.

• Click Create.

• Your SAML profile is now complete and will show in the Respond UX. Clicking on it will show the details similar to the below (this will vary by vendor and details provided).

• As you can see above, the Profile Name and Domains list can be edited for profiles that have already been configured.

  • You can click the View link on a profile in the SAML Profiles list in your UI to get back to this screen.

Testing

• Once configuration is complete on both the Service Provider (Vectra) and IdP side, you are ready to test SAML SSO to Vectra.

  • Keep in mind that only users and groups who are mapped to standardized Vectra role names in your IdP will succeed.

• Click the Login with SSO button on the login page for your Vectra tenant.

• If you are already authenticated to your IdP, and have a mapping to a standardized role that exists in Vectra, you should be logged in without requiring any additional steps.

• If you are need to authenticate to your IdP, you will be asked for a email address when multiple profiles are configured and redirected to your IdP for authentication and then redirected back to Vectra and presented the UI mapped role permissions applied.