Provision, authenticate, and map users in the Google SecOps platform

This article shows you how to provision, authenticate, and map users with secure identification to the Google Security Operations platform. This page illustrates the configuration process using Google Workspace as the external IdP. The process is similar in other external IdPs.

Set up SAML attributes for provisioning

First, you need to set up the SAML attributes and the SAML groups in the external identity provider (IdP).


  1. Navigate to the SAML Attributes mapping section in the Google Workspace.
  2. Add the following four mandatory attributes:
    • first_name
    • last_name
    • user_email
    • groups
  3. In the Google Groups section, write the names of the IdP groups. For example, Chronicle Admins or Gcp-security-admins. Make a note of these group names; you need them later for mapping in the Google Security Operations platform. (In other external providers, such as Okta, this is referred to as IdP Groups.)
    samlattributes

Set up IdP provisioning

Follow the instructions under Configure the IdP as well as the instructions under workforce identity federation.

Below is the workforce pool creation command for the app configuration discussed in Step 6 in Configure workforce identity federation: 

gcloud iam workforce-pools providers create-saml \
  --workforce-pool=WORKFORCE_PROVIDER \
  --location="global" \
  --display-name="Display Name" \
  --description="Description" \
  --idp-metadata-path=GoogleIDPMetadata.xml \
  --attribute-mapping="google.subject=assertion.subject,attribute.first_name=assertion.attributes.first_name[0],attribute.last_name=assertion.attributes.last_name[0],attribute.user_email=assertion.attributes.user_email[0],google.groups=assertion.attributes.groups"

Control User Access

In the SOAR settings of the unified Google Security Operations platform, there are several different ways to determine which users have access to which aspects of the platform.

  • Permissions groups: Set permissions groups for user types which determine which modules and submodules will be visible or editable for users. For example, you can set permissions such that the user will see the Cases and the Workdesk but not have access to the Playbooks and Settings. For more information, see Working with Permission Groups.
  • SOC roles: Define the role of a group of users. You can set Cases or Actions or Playbooks to a SOC role instead of a specific user. Users will see cases that are either assigned to them personally, their role, or to one of the additional roles. For more information, see Working with Roles.
  • Environments: Set environments to be used by enterprises to manage different networks or business units within the same organization. Users will only see data for those environments they have access to. For more information, see Adding an environment.

Map and Authenticate Users

The combination of Permission Groups, SOC Roles, and Environments defines the Google SecOps user journey for each IdP group in the Google SecOps platform.

You need to map each IdP group that you defined in the SAML settings procedure in the IdP Group Mapping page.

By default, the Google SecOps platform includes an IdP group of default admins.

To map IdP groups,follow these steps:

  1. In the Google Security Operations platform, navigate to Settings > SOAR Settings > Advanced > IdP Group Mapping.
  2. Make sure you have the names of the IdP groups at hand.
  3. Click add and start mapping the parameters for each IdP group.
  4. When you have finished, click Save. When each user logs in to the platform, they are automatically added to the User Management page (which is located in Settings > Organization ).

Sometimes users will try to log into the Google SecOps platform but their IdP group has not been mapped in the platform. In order for these users not to be rejected, we recommend enabling and setting the Default Access Settings on this page. IdP users must be part of a single mapped IdP group.