Stay organized with collections Save and categorize content based on your preferences.

Chronicle SOAR authentication

This document provides information about the Chronicle SOAR single sign on (SSO) system using an Identity Provider (IdP). It also provides information on how to set up Google Workspace to support Chronicle SOAR SSO.

Set up Chronicle SOAR SSO

For information on how to set up federated authentication for Chronicle SOAR using an IDP, see here.

Log into Chronicle using an IdP

To login to Chronicle and Chronicle SOAR, follow these steps:

  1. Launch Chrome.

  2. Navigate to Chronicle.

    You are redirected to your IdP.

  3. Login to your IdP.

  4. Your IdP redirects you to the Chronicle landing page.

  5. Conduct your analysis using Chronicle.

Log into Chronicle SOAR

To navigate to Chronicle SOAR, follow these steps:

  1. From the Chronicle Application menu, click on either Cases or Playbooks under the SOAR sub-heading.

  2. Login using your Chronicle SOAR access credentials.

    Chronicle SOAR authentication

  3. Your SSO will not request an additional authentication since you are already authenticated with your IdP.

  4. Conduct your analysis in Chronicle SOAR.

    You can now navigate back and forth between Chronicle and Chronicle SOAR.

Set up RBAC for Chronicle and Chronicle SOAR

To configure Role Based Access Control (RBAC) for Chronicle SIEM and Chronicle SOAR, follow these steps:

  1. Create different groups for each role in your IdP. You can choose any name for these groups, for example:

    • SOC_Administrator
    • SOC_Editor
    • SOC_Viewer
    • SOC_ViewerWithNoDetectAccess
  2. Assign users to these groups based on their role.

  3. In Chronicle, map these groups to Chronicle Groups as shown below:

    • SOC_Administrator -> Administrator
    • SOC_Editor -> Editor
    • SOC_Viewer -> Viewer
    • SOC_ViewerWithNoDetectAccess -> ViewerWithNoDetectAccess
  4. Map the users individually in Chronicle SOAR as described here.