Configure Single Sign-On with different SAML providers
How to configure CISO Assistant
Once you've retrieved the IdP Entity ID, the Metadata URL and the Entity ID from your provider (see the list of providers for specific details), the configuration on CISO Assistant is pretty simple.
Log in into CISO Assistant as an administrator > Extra > Settings
Enable SSO
Enter the Idp Entity ID
Choose the option 1 or 2 depending of your provider and fill Metadata URL or SSO URL, SLO URL, x509 certificate retrieved from your provider
Check that the SP Entity ID is similar to the Entity/Client ID specified on your provider
And that's it ! Don't forget to save changes
You should now be able to see the Login with SSO button
Be aware that the user needs to be created on CISO Assistant to be authenticated with SSO.
Configure Microsoft Entra ID as an Identity Provider for CISO Assistant
Go into your Azur portal home
Open the sidebar menu and click on Microsoft Entra ID
Click on Add button > Entreprise application
Click on Create your own application
Enter a name and then click Integrate any other application you don’t find in the gallery (Non-gallery)
Click on Single sign-on from the sidebar menu or on Set up single sign on bellow Getting Started and choose SAML
In the first box Basic SAML Configuration, specify the Entity ID, it has to be the same than SP Entity ID in CISO Assistant (see next screenshot)
Add the Reply URL: <base_url>/api/accounts/saml/0/acs/
(for example with localhost: https://localhost:8443/api/accounts/saml/0/acs/
)
In the third box SAML Certificates, copy the App Federation Metadata Url as it is the Metadata URL in CISO Assistant (see next screenshot)
In the fourth box Set up <App_name>, copy the Microsoft Entra Identifier as it is the IdP Entity ID in CISO Assistant
Click on Users and groups in the sidebar menu, and Add user/group to give them access to CISO Assistant with SSO
Add a user in your application doesn't automatically create the user on CISO Assistant
You can now configure CISO Assistant with the 3 parameters you've retrieved.
Configure Okta as an Identity Provider for CISO Assistant
Go into your Okta admin console (it should look like this: https://<your_url>.okta.com/admin/dashboard
)
In the sidebar menu, click on Applications > Applications
Click now on Create App Integration
Select SAML 2.0 and click on Next
Choose an App name and click on Next
Add the Single sign-on URL: <base_url>/api/accounts/saml/0/acs/
(for example with localhost: https://localhost:8443/api/accounts/saml/0/acs/
) (see screenshot below)
Add the Audience URI (SP Entity ID), it has to be the same than SP Entity ID in CISO Assistant (see screenshot below)
Choose Email as the Application username
Add Attribute Statements
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
for user's first name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
for user's last name
Click on Next and fill in the Feedback page as you wish then click on Finish
In the Settings box inside SAML 2.0:
Copy the Metadata URL and paste it into the Metadata URL field in CISO Assistant
Copy the Issuer url and paste it into the IdP Entity ID field in CISO Assistant
Go to the Assignments tab
Click on Assign and choose whether you want to assign users or specific groups
Add a user in your application doesn't automatically create the user on CISO Assistant
You can now configure CISO Assistant with the 3 parameters you've retrieved.
Configure Keycloak as an Identity Provider for CISO Assistant
If Keycloak and CISO Assistant are both deployed locally with docker, you'll need to make sure that both containers can communicate together. You can do this with a bridge network.
Go into your Keycloak admin console
Open the sidebar menu > Clients and Create client
Choose SAML client type and name it ciso-assistant or with your custom SP Entity ID
Fill the Home URL by your <base_url>
and Valid redirect URIs by <backend_url/*>
If you have some problems to configure these urls you can ask for help on Discord or by mailing us
Go into Keys and disable Signing keys config
Go into Advanced and fill ACS field by <backend_url/api/accounts/saml/0/acs/>
(on a cloud instance it is simply <base_url/api/accounts/saml/0/acs/>
)
Go to Client scopes and click on ciso-assistant-dedicated
Add a predefined mapper and check all X500 ones
Click on X500 surname and replace SAML Attribute name by http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Click on X500 givenName and replace SAML Attribute name by http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Go into Realm settings > General, you will find the Metadata URL
You'll find inside the Metadata URL the Entity ID
Add a user in your application doesn't automatically create the user on CISO Assistant
You can now configure CISO Assistant with the 3 parameters you've retrieved.
Configure Google Workplace as an Identity Provider for CISO Assistant
Google Workspace doesn't allow callbacks to urls containing http
or localhost
so it can be tricky to test it locally. You should deploy CISO Assistant with a FQDN to bypass these restrictions.
Go into Google Workspace Admin console
On the sidebar menu, go to Applications > Web and mobile applications
Click on Add an application > Add a custom SAML Application
Enter ciso-assistant or the name of your choice and click on continue
You can copy the SSO URL, Entity Id and x509 certificate here but you'll be able to retreive them later
Fill ACS URL with <base_url>/api/accounts/saml/0/acs/
, enter the Entity ID which has to be the same than SP entity Id in CISO Assistant (ciso-assistant by default) and choose Email in Name ID Format
Add two mappings for First name and Last Name, fill them with those two values: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
On application home page, you can now find the Entity ID, SSO URL and x509 certificate
Add a user in your application doesn't automatically create the user on CISO Assistant
You can now configure CISO Assistant with the 3 parameters you've retrieved.