Map users in the Google SecOps platform using IdPs

Supported in:

This document shows you how to provision, authenticate, and map users with secure identification to the Google Security Operations platform. It outlines the configuration process with Google Workspace as the external IdP, though the steps are similar for other IdPs. For customers who use Cloud Identity Provider, the configuration process is with email groups instead of IdP groups. See Map users in the Google SecOps platform using Cloud Identity.

Set up SAML attributes for provisioning

To set up SAML attributes and groups in the external IdP, do the following:
  1. Go to the SAML Attributes mapping section in the Google Workspace.
  2. Add the following mandatory attributes:
    • first_name
    • last_name
    • user_email
    • groups
  3. In the Google Groups section, enter the IdP group names. For example, Chronicle administrators or Gcp-security-admins. Make a note of these group names; you need them later for mapping in the Google SecOps platform. (In other external providers, such as Okta, this is referred to as IdP Groups.)
    samlattributes

Set up IdP provisioning

To set up IdP provisioning, follow the steps in Configure the IdP and the instructions in Create a workforce identity provider.

The following example is the workforce pool creation command for the app configuration described in Configure workforce identity federation: 

gcloud iam workforce-pools providers create-saml WORKFORCE_PROVIDER_ID \
  --workforce-pool=WORKFORCE_POOL_ID \
  --location="global" \
  --display-name=WORKFORCE_PROVIDER_DISPLAY_NAME \
  --description=WORKFORCE_PROVIDER_DESCRIPTION \
  --idp-metadata-path=PATH_TO_METADATA_XML \
  --attribute-mapping="google.subject=assertion.subject,attribute.first_name=assertion.attributes.first_name[0],attribute.last_name=assertion.attributes.last_name[0],attribute.user_email=assertion.attributes.user_email[0],google.groups=assertion.attributes.groups"

Control user access

There are multiple ways to manage user access to different aspects of the platform:

  • Permissions groups: set user access levels by assigning them to specific permission groups. These groups determine which modules and submodules users can view or edit. For example, a user might have access to Cases and Workdesk pages, but be restricted from Playbooks and Settings. For more information, see Work with permission groups.
  • SOC roles: Define the role of a group of users. You can assign users to SOC roles to streamline task management. Instead of assigning cases, actions, or playbooks to individuals, they can be assigned to a SOC role. Users can see cases assigned to them, their role, or additional roles. For more information, see Work with roles.
  • Environments or environment groups: Configure environments or environment groups to segment data across different networks or business units, commonly used by businesses and Managed Security Service Providers (MSSPs). Users can only access data within the environments or groups assigned to them. For more information, see Add a new environment.

Map and authenticate users

The combination of permission groups, SOC roles, and environments determines the Google SecOps user journey for each IdP group in the Google SecOps platform.

There are various options for mapping. You can choose to map IdP groups or emails with multiple permission groups, SOC roles, and environments. This ensures that different users mapped to different IdP groups in the SAML provider inherit all required permission levels. For more information, including how Google SecOps manages this, see Multiple permissions in IdP group mapping.

You can also choose to map IdP groups or emails to individual control access parameters. This enables a more granular level of mapping and can be helpful for large customers. For more information, see Map IdP groups to access control parameters.

By default, the Google SecOps platform includes an IdP group of default administrators.

To map IdP groups, follow these steps:

  1. In Google SecOps, go to Settings > SOAR Settings > Advanced > IdP Group Mapping.
  2. Make sure you have the names of the IdP groups available.
  3. Click Add and start mapping the parameters for each IdP group.
  4. Once you've finished, click Add. Each time a user signs in to the platform, they are automatically added to the User Management page, found under Settings > Organization .

When users attempt to sign in to the Google SecOps platform, but their IdP group hasn't been mapped, for users not to be rejected, we recommend enabling the Default Access Settings and setting administrator permissions on this page. After the initial administrator setup is complete, we suggest adjusting the administrator permissions to a more minimal level.

Map IdP groups to access control parameters

This section describes how to map different IdP groups to one or more access control parameters within the IdP Group Mapping page. This approach is beneficial for customers who want to onboard and provision user groups based on specific customizations, rather than adhering to the standardization of the Google SecOps SOAR platform. While mapping groups to parameters may require you to create more groups initially, once the mapping is set, new users can join Google SecOps without the need to create additional groups.

For information about multiple permission in group mapping, see Map users with multiple control access parameters.

Use Case: Assign unique permission fields to each IdP group

The following example illustrates how to use this feature to help onboard and provision users according to your company's needs.

Your company has three different personas:

  • Security analysts (containing group members Sasha and Tal)
  • SOC engineers (containing group members Quinn and Noam)
  • NOC engineers (containing group members Kim and Kai)
Security analysts and SOC Engineers have the same Google SecOps Permission Groups (Analyst) and SOC Roles (Tier 1), but while the Security Analysts have permissions for the London environment, the SOC Engineers have permissions for the Manchester environment. Meanwhile, NOC Engineers have permissions for the London environment, but are assigned the Basic Permission Group and Tier 2 SOC Role.

See the following table:

Persona Permission Group SOC Role Environment
Security analysts Analyst Tier 1 London
SOC engineers Analyst Tier 1 Manchester
NOC engineers Basic Tier 2 London

For this example, assume that you already set up the necessary permission groups, SOC roles, and environments in Google SecOps.

Here is how you would set up the IdP groups in the SAML provider and in the Google SecOps platform:

  1. In your SAML provider, create the following user groups:
    1. Security analysts (containing Sasha and Tal)
    2. SOC engineers (containing Quinn and Noam)
    3. NOC engineers (containing Kim and Kai)
    4. London (containing Sasha, Tal, Kim and Kai)
    5. Manchester (containing Quinn and Noam)
  2. In Google SecOps, go to Settings > SOAR Settings > Advanced > IdP Group Mapping.
  3. Click Add IdP Group.
  4. Fill out dialog as follows. IdP Group = Security analysts. Permission Group = Analyst, SOC Role = Tier 1. Environment = leave blank.
  5. Fill out another dialog as follows. IdP Group = SOC engineers. Permission Group = Analyst, SOC Role = Tier 1. Environment = leave blank.
  6. Fill out another dialog as follows: IdP Group = NOC engineers. Permission Group = Basic, SOC Role = Tier 2. Environment = leave blank.
  7. Fill out another dialog as follows: IdP Group = London. Permission Group = leave blank. SOC Role = leave blank. Environment = London.
  8. Fill out another dialog as follows: IdP Group = Manchester. Permission Group = leave blank. SOC Role = leave blank. Environment = Manchester.

For customers using the Case Federation feature, see Case Federation for Google SecOps.

Need more help? Get answers from Community members and Google SecOps professionals.