SAML SSO for Insights
  • Dark
    Light
  • PDF

SAML SSO for Insights

  • Dark
    Light
  • PDF

Setting Up and Managing Single Sign-On

What is SSO and why does it matter?

Single Sign-On (SSO) enables users to reduce the number of logins they must perform from a single machine. When SSO is in use, an Identity Provider (IdP) – a central login-management system – works in conjunction with various Service Providers (SPs) to control user access to the SPs’ applications. Users log into the IdP rather than into individual SPs or applications. Then, when they access any of the applications of the managed SPs, the IdP logs them in automatically.

SSO & ControlUp

ControlUp Insights has incorporated SSO support, enabling users to access Insights without logging into it directly, once they have logged into a supported IdP. At present, only the SAML 2.0 protocol is supported.

Note

Currently, only logins to websites are supported. Because ControlUp’s Console is not web-based, the Console does not support SSO at this time. In addition, if the SSO option is activated for Insights, links in the Console that would normally open Insights are disabled.

In order to set up SAML 2.0 SSO for Insights, settings in both the IdP and Insights must be configured, as explained below. Part of the setup process entails copying values from your IdP to Insights’ settings, and vice versa. It is recommended to begin with the IdP settings.

Once the SAML 2.0 SSO is enabled, users (other than the user with the “Owner” role, as explained below) can no longer log into Insights from the URL they previously used ( https://insights.controlup.com/  ). Instead, they must use the URL that appears in the Insights SAML 2.0 SSO settings, under Service Provider Login URL .

Note

Any user configuration done in Insights prior to SAML integration is not saved for SAML logins (such as: Bookmarks, Home page, Top Insights customization, Time Zone). Every configuration done when logging into Insights using SAML will be saved for future sessions. It is recommended that upon logging into Insights with SAML for the first time, the user will reconfigure Insights to suit its needs.

Note

Although some IdP’s, like Ping also support Single Logout (SLO), Insights does not currently support this option. Thus, users remain logged into Insights until they either manually log out, or are logged out by Insights automatically due to inactivity (after 15 minutes). Similarly, when they are logged out of Insights, they are not automatically logged out of other Ping SPs.

Configuring Single Sign-On for Insights on Ping

Before you can set up SSO for Insights on Ping, you must have a PingFederate server set up and running in your organization. The instructions below explain how to add ControlUp Insights to an existing PingFederate server. For information about setting up and working with PingFederate, refer to the Ping Identity website (https://www.pingidentity.com ).

To add ControlUp Insights to a PingFederate server:

  1. In the PingFederateIdentity Provider screen, select Create New . The Connection Template tab opens.
    4402990824721SAMLSSOIntstep01.png
    Identity Provider screen

  2. Select Next repeatedly until the General Info tab opens.
    4402984938257SAMLSSOIntstep02.png
    General Info tab

  3. Fill in the fields as follows:

Field

Description

Example

Partner's Entity ID
(Connection ID)

Unique identifier of the connection

Enter a meaningful name for the new connection.

Dudi Production Lab

Connection Name

Name of the connection

It is recommended to enter the same name as in the preceding field.

Dudi Production Lab

Virtual Server IDs

Enter a name, and then select Add.

It is recommended to enter the same name as in the preceding field, in the following format:
https://[Connection Name].

Note
This value must be copied into the Insights SAML settings, under Virtual Server IDs.

https://dudiproductionlab

  1. Select Next . TheBrowser SSO tab opens.

4402990824977SAMLSSOIntStep04.png

Browser SSO tab

  1. Select Configure Browser SSO . The Browser SSO screen opens with the SAML Profiles tab displayed.

4402984938897SAMLSSOIntStep05.png

SP Connection | Browser SSO > SAML Profiles tab

  1. Select bothIdP-Initiated SSO andSP-Initiated SSO.
Note
Insights does not support SLO (Single Log Out); selecting it here will have no effect.
  1. Select Next The Assertion Creation tab opens.

4402984939153SAMLSSOIntStep07.png

SP Connection | Browser SSO > Assertion Creation tab

  1. Select Configure Assertion Creation . TheAssertion Creation screen opens with the Identity Mapping tab displayed.
  2. Select Next The Authentication Source Mapping tab opens.

4402984938513SAMLSSOIntStep09.png

SP Connection | Browser SSO | Assertion Creation > Authentication Source Mapping tab

  1. Select Map New Adapter Instance . TheIdP Adapter Mapping screen opens, with the Adapter Instance tab displayed.

360000980698777777777.png

SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Adapter Instance tab

  1. Under Adapter Instance , select the IdP adapter instance to use for user authentication.
  2. Select Next repeatedly until the Attribute Contract Fulfillment tab opens.

3600009939377777777777.png

SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Attribute Contract Fulfillment tab

  1. Under Source and Value , select the required values for your environment.
Note
For additional information, refer to the PingFederate documentation.
  1. Select Next . The Issuance Criteria tab opens.

36000099395777777777777.png

SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Issuance Criteria tab

  1. Optional: Configure the fields as appropriate for each condition you want to create; select Add for each condition.
Note
For additional information, refer to the PingFederate documentation.
  1. Select Next or Done repeatedly until the initial screen (Identity Provider) appears with the SP connection you created listed in it.

360000980718777777777777.png

Identity Provider screen with the new SP connection listed

  1. Select the newly created SP connection. The Browser SSO screen opens with the SAML Profiles tab displayed.
  2. Select Next repeatedly until the Protocol Settings tab opens.

3600009939777777777777777.png

SP Connection | Browser SSO > Protocol Settings tab

  1. Select Configure Protocol Settings. The Assertion Consumer Service URL tab opens.

36000098073877777777777777.png

SP Connection | Browser SSO | Protocol Settings > Assertion Consumer Service URL tab

  1. Fill in the fields as follows:

Field

Description

Index

Enter an index to identify the assertion URL.

Binding

Select POST.

Note
For security reasons, the only supported binding type is POST.

Endpoint URL

The Insights assertion URL; the URL to which the IdP should respond to queries from Insights.

Note
When you set up SAML SSO in Insights, this value is generated by Insights, and appears in the Insights SAML settings in the Assertion URL field. You must then copy it, return to this screen, and paste it into this field. You may find it easiest to simply stop configuring the Ping settings at this point, and follow the instructions below for configuring Insights. You can then copy this value from there, return to this location to enter it here, and continue with the Ping configuration.
  1. Select Add. The Insights assertion URL is added to the list, and selected as the default.
  2. Select Next. The Allowable SAML Bindings tab opens.

360000993997777777777777777.png

SP Connection | Browser SSO | Protocol Settings > Allowable SAML Bindings tab

  1. Select POST.
Note
For security reasons, the only supported binding type is POST.
  1. Click Next. The Signature Policy tab opens.

360001645917SignaturePolicy.jpg

SP Connection | Browser SSO | Protocol Settings > Signature Policy tab

  1. Check both options shown in the screenshot above.
  2. Select Next. The Encryption Policy tab opens.

360001645897EncryptionPolicy.jpg

SP Connection | Browser SSO | Protocol Settings > Encryption Policy tab

  1. Select None.
  2. Select Next or Done repeatedly until the Browser SSO tab appears.

360001729338BrowserSSO.jpg

SP Connection > Browser SSO tab

  1. Select Next. Credentials tab opens.

3600009807587777777777777777.png

SP Connection > Credentials tab

  1. Select Configure Credentials. The Digital Signature Settings tab opens.

360001645877DigitalSignatureSettings.jpg

SP Connection | Credentials > Digital Signature Settings tab

  1. Under Signing Certificate, select the IDP certificate.
Note
The certificate string must be copied into the Insights SAML settings, under X.509 Certificate.
  1. Select Next. The Signature Verification Settings tab opens.

360001729378SignatureverificationSettings.jpg

SP Connection | Credentials > Signature Verification Settings tab

  1. Click Manage Signature Verification Settings. The Trust Model tab opens.

360001729398TrustModel.jpg

SP Connection | Credentials | Signature Verification > Trust Model tab

  1. Select “Unanchored”.
  2. Click Next. Signature Verification Certificate tab opens.

360001729358SignatureVerificationCertificate.jpg

SP Connection | Credentials | Signature Verification > Signature Verification Certificate tab

  1. Load the SP certificate (request from ControlUp support) and select it.
  2. Select Next or Done repeatedly until the initial screen (Identity Provider ) appears.

Setting Up Single Sign-On in Insights

In order to set up SAML 2.0 SSO for your organization’s Insights site, you must log into Insights with a user account that has the Owner role (the user who created the organization).

To set up SAML 2.0 SSO in Insights:

  1. Install and set up the PingFederate server in accordance with Ping Identity’s instructions, and configure it for Insights as explained above.
  2. Log into Insights with a user account that has the Owner role.
  3. In the Insights screen, in the upper-right corner, select your user name. A dropdown menu opens.

360000980798777777777777777777.png

Select your user name to open the dropdown menu
3600009808187777777777777777777.png
Dropdown menu open

Note
If the user account with which you are logged into Insights does not have the Owner role, the Single Sign-On (SAML) option does not appear in this menu.
  1. In the menu, select Settings , and then select Single Sign-On (SAML) . The Single Sign-On (SAML) Settings dialog box opens.

36000098083877777777777777777777.png

Single Sign-On dialog box

  1. At the upper-left of the dialog box, select theEnable SAML (SSO) Authentication The required fields become available.
  2. Copy the following values from the Ping configuration and enter them into the fields of the same names in theSingle Sign-On (SAML) Settings dialog box:

Value in Ping

Field In Insights SSO Settings

Description

X.509 Certificate

X.509 Certificate

The signing key of the SAML IdP, including the keywords -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

Assertion URL

SSO Application Endpoint

The URL for logging into the IdP

Virtual Server IDs

Virtual Server IDs

The virtual server IDs configured in the IdP’s connection identifier

The Save button becomes active.

360000994017777777777777777777777.png

Required fields filled in

  1. Copy the value that appears under Assertion URL to the Endpoint URL setting in the Ping configuration. (This is the URL to which the IdP should respond to queries from Insights.)
  2. Select Save. SAML 2.0 SSO is implemented throughout the organization. Users in your organization should access Insights through the URL that appears under Service Provider Login URL.
Note
Links in the ControlUp Console that would normally open Insights will no longer work from this point on. Beginning with Console version 7.3, after the user’s next login, these links will appear in the Console as disabled.

Configure Insights to support Azure AD SAML

Prerequisites:

  • Must have an Azure Enterprise account
  • Azure AD must be configured
  • Must have the necessary permissions to create the application
  • We assert the UPN and must match what Azure presents. See note at the bottom.

Preparation on Azure AD

  1. Create an enterprise application.

4403304210961ScreenShot2021-06-23at105509AM1.png

Azure AD - App Creation Screenshot

  1. After entering a name of your choosing in the “Create your own application” menu, select the third radio button option (#2 in the screenshot above): “Integrate any other app…”
  2. Click Create.

  3. Review the app you’ve just created.

4403310264337ScreenShot2021-06-30at91140AM1.png

Azure AD - All Applications Menu

Assignment Option

Assign Users and GroupsIn the properties Management tab, set ‘User Assignment required?’ to NO.
Assign Users and Groups
Set User Assignment Required to NO

Side-by-side with comments - (Azure console and Insights settings)

See the annotated screenshot below to understand what information comes from the Insights Settings UI, and which comes from the Azure AD settings (note arrow direction).
4403304218769ScreenShot2021-06-23at13531PM.png

Side-by-Side Comparison of Azure Console and Insights Settings Page

IMPORTANT NOTE

Additionally, note that we assert the UPN and must match what Azure presents.

We require the NameID attribute with the UPN value of the user. For example:

<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">The user Marcel created</NameID>

Finally, the Identifier (Entity ID) in the basic SAML config is not listed on the Insights side. Use: urn:componentspace:ControlupInsights

Possible Errors

User not authorized in Azure to use the Enterprise app - (Error AADSTS50105)

4403310273809ScreenShot2021-06-30at91235AM.png User not authorized in Azure to use the Enterprise app - Error Screenshot

URN not configured - (Error AADSTS700016)

4403304233745ScreenShot2021-06-30at91244AM.png

URN not configured - Error Screenshot

Managing Single Sign-On Settings

Once SAML 2.0 SSO is enabled in your organization, modifications to the SAML 2.0 SSO settings, and disabling of the feature, can only be performed by the ControlUp user with the Owner role. In order to do so, the Owner must access Insights from its original URL (https://insights.controlup.com/), using the username and password under which the SAML 2.0 SSO settings were last configured.

Note
If you need to change the SAML 2.0 SSO settings, but you cannot log into the original Owner user account for some reason, contact ControlUp support.

To modify the SAML 2.0 SSO Settings in Insights:

  1. Log into Insights at its original URL, and open the Single Sign-On (SAML) Settings dialog box as explained above.
  2. Modify the values as required.
  3. Click Save.

To disable SAML 2.0 SSO in Insights:

  1. Log into Insights at its original URL, and open the Single Sign-On (SAML) Settings dialog box as explained above.
  2. Clear the Enable SAML (SSO) Authentication.
  3. Click Save.

Was this article helpful?