Setup single sign-on with read-only role
This section describes how ThreatLockDown can be integrated with several Identity Providers (IdP) to implement Single Sign-On (SSO) with a read-only role.
The guide assumes you already have a ThreatLockDown indexer and a ThreatLockDown dashboard installation. To learn more, see the installation guide.
Required parameters
The following parameters are required to make the configurations on the ThreatLockDown dashboard instance:
idp.metadata_url
: URL to an XML file that contains metadata information about the application configured on the IdP side. It can be used instead ofidp.metadata_file
.idp.metadata_file
: XML File that contains the metadata information about the application configured on the IdP side. It can be used instead ofidp.metadata_url
.idp.entity_id
: Entity ID of the Identity Provider. This is a unique value assigned to an Identity Provider.sp.entity_id
: Entity ID of the Service Provider. This is a unique value assigned to a Service Provider.kibana_url
: URL to access the ThreatLockDown dashboard.roles_key
: The attribute in the SAML assertion where the roles/groups are sent.exchange_key
: The key that will be used to sign the assertions. It must have at least 32 characters.
Note
The group and role names used in this guide can be changed. They do not necessarily have to be the ones we used.
OpenSearch and the SAML assertion are case sensitive. Therefore the values on the IDP and in the SAML configuration of the ThreatLockDown indexer have to be exactly the same.
It is recommended to clear the browser cache and cookies before the integration is carried out.
The
securityadmin
script has to be executed with root user privilegesRead-only permissions are being assigned in this integration. The Setup single sign-on with administrator role guide can be used to configure an administrator role based on the user requirements.
Each group that is generated in the IDPs can only be used as one
backend_role
. In a case where other roles such asadministrator
are needed, a new group will have to be created for this purpose.You need an account with administrator privileges on the ThreatLockDown dashboard.