Configure SAML provider
This article describes how to configure a SAML provider.
If you are using
Okta – read Configure
Okta in Google Security Operations SOAR first.
If you are using Google Workspace – read SAML
configuration for Google Workspace first.
If you are using Azure – read SAML
configuration for Azure first.
The platform supports Google Workspace, Okta, Azure, and configuring your own custom SAML provider. This can be an existing solution like Centrify, or a company specific solution.
Google Security Operations SOAR supports a wide variety of authentication options
provided by SAML, including 2-factor authentication (2FA).
The
application uses the default sts of .NET core. Google Security Operations SOAR uses
their library for the token authentication against the identity provider;
only using the nameID property from the tokens.
The following steps should be taken to configure the provider:
- Configure SAML provider
- Configure users and invite them to Google Security Operations SOAR
Configure SAML provider
To configure the SAML Provider:
- Navigate to Settings > Advanced > External Authentication.
- Fill out the fields as detailed in the following table.
Field Description Provider name Add in the name of the provider. IDP Metadata The IDP Metadata is SAML metadata and is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). If you use a certificate, set WantAuthnRequestsSigned="true"in the XML. If you are not using a certificate then set it tofalse.Identifier The service provider identifier in the SAML provider. This is called different names in different service providers. For example, this is called Entity ID in Google Workspace. ACS URL Google Security Operations SOAR server name. Can be either an IP URL, Host Name URL or Local Host URL. Users have to connect to the platform with the same URL pattern configured in this field in order to log in with SAML. The URI must contain the IP address of the Google Security Operations SOAR server followed by /saml2.Provider public certificate The certificate is optional. It can be uploaded as necessary for custom providers. Unsolicited Response (also known as IdP-Initiated response) This enables SAML users to enter the Google Security Operations SOAR platform directly from their SAML identity provider application. For example, if your company is using Okta, you can configure it so that users can enter Google Security Operations SOAR through the Okta application. The option to use Unsolicited Response is available only when there is one SAML provider configured in the platform. Auto-redirect With auto-redirect enabled, users who are not logged in are automatically redirected to the IdP to log in. To force a user to log in to the platform directly while auto-redirect is enabled, add to the URL—for example, https://example.com/#/login?autoExternalLogin=false.Enable just-in time user provisioning When you log in for the first time with a user using SAML, the user is created automatically in Google Security Operations SOAR. For more information, see What is just-in-time user provisioning - Click Save in the top right corner.
- To make sure the connection is working as expected, click Test.
Configure users
The next stage is to add users that can access the platform through the new SAML provider that you just created.
To add and configure users, follow these steps:
- Navigate to Settings > Organization > User Management.
- Click .
- For User type, select Google Workspace Provider.
- Configure the rest of the fields as needed.
- Click Add. The user appears in the list of users with the Google Workspace icon.
Change SAML providers
To change SAML providers in the Google Security Operations SOAR platform (Admin only):
- Change SAML Provider in Settings > Advanced > External Authentication.
- Navigate to Settings > Organization > User Management.
- Double-click on a user in the list that you want to change the SAML Provider for.
- Choose the new SAML Provider from the User Type drop-down field.