Chronicle SOAR authentication
This document provides information about the Chronicle SOAR single sign on (SSO) system using an Identity Provider (IdP). It also provides information on how to set up Google Workspace to support Chronicle SOAR SSO.
Set up Chronicle SOAR SSO
For information on how to set up federated authentication for Chronicle SOAR using an IDP, see here.
Log into Chronicle using an IdP
To login to Chronicle and Chronicle SOAR, follow these steps:
Navigate to Chronicle.
You are redirected to your IdP.
Login to your IdP.
Your IdP redirects you to the Chronicle landing page.
Conduct your analysis using Chronicle.
Log into Chronicle SOAR
To navigate to Chronicle SOAR, follow these steps:
From the Chronicle Application menu, click on either Cases or Playbooks under the SOAR sub-heading.
Login using your Chronicle SOAR access credentials.
Your SSO will not request an additional authentication since you are already authenticated with your IdP.
Conduct your analysis in Chronicle SOAR.
You can now navigate back and forth between Chronicle and Chronicle SOAR.
Set up RBAC for Chronicle and Chronicle SOAR
To configure Role Based Access Control (RBAC) for Chronicle SIEM and Chronicle SOAR, follow these steps:
Create different groups for each role in your IdP. You can choose any name for these groups, for example:
Assign users to these groups based on their role.
In Chronicle, map these groups to Chronicle Groups as shown below:
- SOC_Administrator -> Administrator
- SOC_Editor -> Editor
- SOC_Viewer -> Viewer
- SOC_ViewerWithNoDetectAccess -> ViewerWithNoDetectAccess
Map the users individually in Chronicle SOAR as described here.