Integrate an Identity Provider (IdP) for SAML Logins
search cancel

Integrate an Identity Provider (IdP) for SAML Logins

book

Article ID: 291549

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to add App Control as a Service Provider to an Identity Provider (IdP) to facilitate SAML logins

Environment

  • App Control Console: All Supported Versions

Resolution

Summary

  • An account with an Identity Provider (IdP) whose login and logout locations have a binding of type HTTP-redirect.
  • App Control will need to first be added as a Service Provider in the Identity Provider (IdP) configuration
  • Mapping requires the use of an email address from the IdP that can be either one of these:
    • NameID (e.g. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
    • Or a custom Attribute Value with the name EmailAddress (capitalized as shown)
  • App Control Login User with an email address matching the value of NameID or EmailAddress must be pre-configured in the Console before the first SAML login.
  • Review the process when using both Active Directory and SAML integration.


I. Add App Control To An Existing Identity Provider (IdP):

  1. Log in to the IdP and add a new Service Provider (App Control).
  2. Determine which attribute to map to IdP Accounts:
    • Note: App Control only supports the use of NameID or attribute "EmailAddress", not both.
    • If using NameID:
      • Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      • Provide the NameID Attribute that identifies Email Addresses in the IdP.
    • If using EmailAddress: (Capitalized as shown)
      • Add a new Attribute Value named: EmailAddress (Capitalized as shown) and point it to the email address of the users
      • If you provide EmailAddress it is always used for mapping, even when there is no matching Console account.
  3. Log in to the Console and navigate to System Configuration > SAML Login > Service Provider.
  4. Choose either XML or Manual, depending on the IdP requirements.
    • Do not alter or substitute any URLs generated by App Control.
    • All URLs should use the Server Address specified in Settings > System Configuration > General.
  5. Follow the instructions of the IdP for importing the App Control XML, or providing the values manually.
    • If prompted, choose to sign the SAML Assertion rather than the SAML Message.
  6. Download the XML Metadata provided by the IdP for the new Service Provider (App Control).
  7. Verify the XML provided matches the IdP XML requirements for App Control.


II. Add The IdP to App Control:

  1. Log in to the App Control Console and navigate to System Configuration > SAML Login > Identity Provider > Add Identity Provider.
    • Identity Provider Name: This is the name that will appear on the App Control Login page.
    • Identity Provider XML: This is the XML Metadata acquired in Step 7 of the Service Provider setup above.
  2. Paste or upload the IdP XML.
  3. Click Save. 

Additional Information

  • Only the NameID or the EmailAddress should be passed from the IdP to App Control in the assertion, not both.
  • If the Carbon Black App Control login account has not been created, or does not match the value of NameID or EmailAddress, following or similar message is reported in the Server.Log file:
LoginUser: SAML login: Email address did not exist: [email protected]
Powered by Wolken Software