Single Sign On(SSO) - SAML Setup

Introduction

For customers wishing to implement single sign on (SSO) capabilities, Red Sentry has the capability to implement this via Security Assertion Markup Language (SAML). SAML is an open standard for exchanging authentication and authorization data between parties, specifically, between an identity provider and a service provider.

As shown above, a user signs into the identity provider. From there, the identity provider will use the users credentials to log in to Red Sentry via a SAML assertion.

Azure

Identity Provider Setup

To set up Azure as an identity provider, you must first create an enterprise application by navigating to Azure Active Directory -> Enterprise Applications as shown in the images below:

After clicking “Azure Active Directory,” click on “Enterprise applications”.

Next click “New application”

After that click “Create your own application”. Make sure to click the “integrate any other application” button and give the application a name. Finally click the create button.

Before we can set up SAML make sure to add the necessary users to the application. Otherwise they won't have access.

After that click on the “Single sign-on” button to set up SAML authentication.

As shown in the image below we only have to fill out two things. The SSO Url should be “https://blue-api.redsentry.com/saml/acs?team=TeamNameHere”. Make sure to replace TeamNameHere with your team otherwise the login will fail. The audience URI AKA SP entity id should be “https://blue-api.redsentry.com/” .

• SSO URL
  • https://blue-api.redsentry.com/saml/acs?team=TeamNameHere 
• SP Entity ID
  • https://blue-api.redsentry.com/

Also on the same page you need to configure the SAML attribute that will contain the username you wish to login to the platform. The attribute name should be “username” and the value should be the users email address.

Once the changes are saved we can move to the next steps which involve configuring Redsentry.

Red Sentry Setup

Once the IDP is set up you can configure Red Sentry. On that same page there are a number configurations we need to grab.

Copy the “Azure AD Identifier” and paste it into the “Entity ID” Field. Next take the “Login URL” string and paste that into the “SAML SSO” input field.

Next we need to download the certificate. Once the cert is downloaded, open it up in a text editor such as notepad. Note when copying the IDP certificate DO NOT include the “-----BEGIN CERTIFICATE-----” and -----END CERTIFICATE----- part. Copy the base64 encoded certificate into Red Sentry as shown in the image below.

After you copy those settings over you just have to fill out the redirect URL. If you have a custom domain such as https://company.redsentry.com put that in, otherwise use https://app.redsentry.com .

Login

Now that everything is configured the last step is to test the SSO login process. This can be done in two ways. The first way is by using the test button as shown in the image below:

After you press the test button you should be logged into the Red Sentry application. The second option involves going to your applications as shown below:

Clicking on the application will bring you to Redsentry. Once you are logged in you should see something like the image below:

If a user does not have an account on RedSentry it will be automatically created when they first login. All SAML users will have the following username format “Email:TeamID:SAML”.

Okta

Identity provider Setup

In this example we are going to showcase how to get started by using Okta as the identity provider. Again this is specific to Okta every solution has a slightly different setup. To do this we followed the following tutorial.

• https://help.okta.com/oag/en-us/Content/Topics/Access-Gateway/add-app-saml-pass-thru-add-okta.htm

The first step is to login to Okta , go to the Admin panel , and create an app integration as shown in the image below:

After selecting SAML 2.0 click the Next button. Then name your application and click the next button.

One the next page make sure you specify your team name in the GET variable “team” as shown in the below image:

As shown above we only have to fill out two things. The SSO Url should be “https://blue-api.redsentry.com/saml/acs?team=TeamNameHere”. Make sure to replace TeamNameHere with your team otherwise the login will fail. The audience URI AKA SP entity id should be “https://blue-api.redsentry.com/” .

• SSO URL
  • https://blue-api.redsentry.com/saml/acs?team=TeamNameHere
• SP Entity ID
  • https://blue-api.redsentry.com/

Also on the same page you need to configure the SAML attribute that will contain the username you wish to login to the platform. The attribute name should be “username” and the value should be the users email address.

Once that is done the IDP should be properly configured to work with Redsentry. The last step is to add the necessary setting in Red Sentry.

Red Sentry Setup

Once the IDP is set up you can configure Red Sentry. First go to settings -> single sign on, from there you should see a form where you can upload the settings from your IDP.

Since we are using Okta we need to go back to the platform to retrieve the necessary settings. As shown below go to your application and click “view setup instruction”:

Once you click that button you should see all the necessary settings needed to get started. The next step is to copy those settings into redsentry.

Note when copying the IDP certificate DO NOT include the “-----BEGIN CERTIFICATE-----” and -----END CERTIFICATE----- part.

After you copy those settings over you just have to fill out the redirect URL. If you have a custom domain such as https://company.redsentry.com put that in, otherwise use https://app.redsentry.com .

Login

Now that everything is configured the last step is to test the SSO login process. Since we are using Okta we will go back to the application and see if we can login to Red Sentry.

Clicking on the app logs me into red sentry using the email supplied by Okta. Note if a user doesn't have an account the platform will automatically create one for them when they first login.

As shown above the login was successful and we can tell because our user ends with SAML indicating we are logged in via a user using SAML SSO.