This document provides an overview of SAML-based SSO using ThreatWorx. It describes what information is needed to enable SAML-based SSO and the steps involved. You need to work with ThreatWorx Support to enable SAML-based SSO for your ThreatWorx instance.
ThreatWorx supports Single Sign On (SSO) using Security Assertion Markup Langugage (SAML). ThreatWorx acts as an Service Provider (SP) and integrates with your Identity Provider (IDP). SAML flow in a nutshell involves SP sending a SAML Authentication Request to your IDP. The IDP in return responds with a SAML Assertion which specifies details about the authenticated user.
ThreatWorx Support will share details about SP SAML Metadata with you. You will need to share your IDP SAML Metadata with ThreatWorx support as part of configuring SAML.
ThreatWorx expects the following details in the SAML Assertion:
- SAML Subject specified with “NameIDFormat” as “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
- First Name (optional) – used while provisioning the user in ThreatWorx
- Last Name (optional) – used while provisioning the user in ThreatWorx
- Groups – This is required to assign “Admin” or “Discoverer” role to users in ThreatWorx.
- Admin Group Name – If the user is member of this group, then user is assigned “Admin” role in ThreatWorx
- Discoverer Group Name – If the user is member of this group, then user is assigned “Discoverer” role in ThreatWorx
You need to share the names of the following attributes in the SAML Assertion from your IDP with ThreatWorx support:
- Name of “First Name” attribute (optional)
- Name of “Last Name” attribute (optional)
- Name of “Groups” attribute
- Admin Group Name
- Discoverer Group Name
ThreatWorx Support team works closely with the customer to enable SAML-based SSO.