Contents x
    SAML SSO for Insights
      • Print
      • Dark
        Light
      • PDF
      Contents

      SAML SSO for Insights

        • Print
        • Dark
          Light
        • PDF
        Article Summary

        Setting Up and Managing Single Sign-On

        What is SSO and why does it matter?

        Single Sign-On (SSO) enables users to reduce the number of logins they must perform from a single machine. When SSO is in use, an Identity Provider (IdP) – a central login-management system – works in conjunction with various Service Providers (SPs) to control user access to the SPs’ applications. Users log into the IdP rather than into individual SPs or applications. Then, when they access any of the applications of the managed SPs, the IdP logs them in automatically.

        SSO & ControlUp

        ControlUp Insights has incorporated SSO support, enabling users to access Insights without logging into it directly, once they have logged into a supported IdP. At present, only the SAML 2.0 protocol is supported.

        Note

        Currently, only logins to websites are supported. Because ControlUp’s Console is not web-based, the Console does not support SSO at this time. In addition, if the SSO option is activated for Insights, links in the Console that would normally open Insights are disabled.

        In order to set up SAML 2.0 SSO for Insights, settings in both the IdP and Insights must be configured, as explained below. Part of the setup process entails copying values from your IdP to Insights’ settings, and vice versa. It is recommended to begin with the IdP settings.

        Once the SAML 2.0 SSO is enabled, users (other than the user with the “Owner” role, as explained below) can no longer log into Insights from the URL they previously used ( https://insights.controlup.com/  ). Instead, they must use the URL that appears in the Insights SAML 2.0 SSO settings, under Service Provider Login URL .

        Note

        Any user configuration done in Insights prior to SAML integration is not saved for SAML logins (such as: Bookmarks, Home page, Top Insights customization, Time Zone). Every configuration done when logging into Insights using SAML will be saved for future sessions. It is recommended that upon logging into Insights with SAML for the first time, the user will reconfigure Insights to suit its needs.

        Note

        Although some IdP’s, like Ping also support Single Logout (SLO), Insights does not currently support this option. Thus, users remain logged into Insights until they either manually log out, or are logged out by Insights automatically due to inactivity (after 15 minutes). Similarly, when they are logged out of Insights, they are not automatically logged out of other Ping SPs.

        Configuring Single Sign-On for Insights on Ping

        Before you can set up SSO for Insights on Ping, you must have a PingFederate server set up and running in your organization. The instructions below explain how to add ControlUp Insights to an existing PingFederate server. For information about setting up and working with PingFederate, refer to the Ping Identity website (https://www.pingidentity.com ).

        To add ControlUp Insights to a PingFederate server:

        1. In the PingFederateIdentity Provider screen, select Create New . The Connection Template tab opens.
          4402990824721SAMLSSOIntstep01.png
          Identity Provider screen

        2. Select Next repeatedly until the General Info tab opens.
          4402984938257SAMLSSOIntstep02.png
          General Info tab

        3. Fill in the fields as follows:

        Field

        Description

        Example

        Partner's Entity ID
        (Connection ID)

        Unique identifier of the connection

        Enter a meaningful name for the new connection.

        Dudi Production Lab

        Connection Name

        Name of the connection

        It is recommended to enter the same name as in the preceding field.

        Dudi Production Lab

        Virtual Server IDs

        Enter a name, and then select Add.

        It is recommended to enter the same name as in the preceding field, in the following format:
        https://[Connection Name].

        Note
        This value must be copied into the Insights SAML settings, under Virtual Server IDs.

        https://dudiproductionlab

        1. Select Next . TheBrowser SSO tab opens.

        4402990824977SAMLSSOIntStep04.png

        Browser SSO tab

        1. Select Configure Browser SSO . The Browser SSO screen opens with the SAML Profiles tab displayed.

        4402984938897SAMLSSOIntStep05.png

        SP Connection | Browser SSO > SAML Profiles tab

        1. Select bothIdP-Initiated SSO andSP-Initiated SSO.
        Note
        Insights does not support SLO (Single Log Out); selecting it here will have no effect.
        1. Select Next The Assertion Creation tab opens.

        4402984939153SAMLSSOIntStep07.png

        SP Connection | Browser SSO > Assertion Creation tab

        1. Select Configure Assertion Creation . TheAssertion Creation screen opens with the Identity Mapping tab displayed.
        2. Select Next The Authentication Source Mapping tab opens.

        4402984938513SAMLSSOIntStep09.png

        SP Connection | Browser SSO | Assertion Creation > Authentication Source Mapping tab

        1. Select Map New Adapter Instance . TheIdP Adapter Mapping screen opens, with the Adapter Instance tab displayed.

        360000980698777777777.png

        SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Adapter Instance tab

        1. Under Adapter Instance , select the IdP adapter instance to use for user authentication.
        2. Select Next repeatedly until the Attribute Contract Fulfillment tab opens.

        3600009939377777777777.png

        SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Attribute Contract Fulfillment tab

        1. Under Source and Value , select the required values for your environment.
        Note
        For additional information, refer to the PingFederate documentation.
        1. Select Next . The Issuance Criteria tab opens.

        36000099395777777777777.png

        SP Connection | Browser SSO | Assertion Creation | IdP Adapter Mapping > Issuance Criteria tab

        1. Optional: Configure the fields as appropriate for each condition you want to create; select Add for each condition.
        Note
        For additional information, refer to the PingFederate documentation.
        1. Select Next or Done repeatedly until the initial screen (Identity Provider) appears with the SP connection you created listed in it.

        360000980718777777777777.png

        Identity Provider screen with the new SP connection listed

        1. Select the newly created SP connection. The Browser SSO screen opens with the SAML Profiles tab displayed.
        2. Select Next repeatedly until the Protocol Settings tab opens.

        3600009939777777777777777.png

        SP Connection | Browser SSO > Protocol Settings tab

        1. Select Configure Protocol Settings. The Assertion Consumer Service URL tab opens.

        36000098073877777777777777.png

        SP Connection | Browser SSO | Protocol Settings > Assertion Consumer Service URL tab

        1. Fill in the fields as follows:

        Field

        Description

        Index

        Enter an index to identify the assertion URL.

        Binding

        Select POST.

        Note
        For security reasons, the only supported binding type is POST.

        Endpoint URL

        The Insights assertion URL; the URL to which the IdP should respond to queries from Insights.

        Note
        When you set up SAML SSO in Insights, this value is generated by Insights, and appears in the Insights SAML settings in the Assertion URL field. You must then copy it, return to this screen, and paste it into this field. You may find it easiest to simply stop configuring the Ping settings at this point, and follow the instructions below for configuring Insights. You can then copy this value from there, return to this location to enter it here, and continue with the Ping configuration.
        1. Select Add. The Insights assertion URL is added to the list, and selected as the default.
        2. Select Next. The Allowable SAML Bindings tab opens.

        360000993997777777777777777.png

        SP Connection | Browser SSO | Protocol Settings > Allowable SAML Bindings tab

        1. Select POST.
        Note
        For security reasons, the only supported binding type is POST.
        1. Click Next. The Signature Policy tab opens.

        360001645917SignaturePolicy.jpg

        SP Connection | Browser SSO | Protocol Settings > Signature Policy tab

        1. Check both options shown in the screenshot above.
        2. Select Next. The Encryption Policy tab opens.

        360001645897EncryptionPolicy.jpg

        SP Connection | Browser SSO | Protocol Settings > Encryption Policy tab

        1. Select None.
        2. Select Next or Done repeatedly until the Browser SSO tab appears.

        360001729338BrowserSSO.jpg

        SP Connection > Browser SSO tab

        1. Select Next. Credentials tab opens.

        3600009807587777777777777777.png

        SP Connection > Credentials tab

        1. Select Configure Credentials. The Digital Signature Settings tab opens.

        360001645877DigitalSignatureSettings.jpg

        SP Connection | Credentials > Digital Signature Settings tab

        1. Under Signing Certificate, select the IDP certificate.
        Note
        The certificate string must be copied into the Insights SAML settings, under X.509 Certificate.
        1. Select Next. The Signature Verification Settings tab opens.

        360001729378SignatureverificationSettings.jpg

        SP Connection | Credentials > Signature Verification Settings tab

        1. Click Manage Signature Verification Settings. The Trust Model tab opens.

        360001729398TrustModel.jpg

        SP Connection | Credentials | Signature Verification > Trust Model tab

        1. Select “Unanchored”.
        2. Click Next. Signature Verification Certificate tab opens.

        360001729358SignatureVerificationCertificate.jpg

        SP Connection | Credentials | Signature Verification > Signature Verification Certificate tab

        1. Load the SP certificate (request from ControlUp support) and select it.
        2. Select Next or Done repeatedly until the initial screen (Identity Provider ) appears.

        Setting Up Single Sign-On in Insights

        In order to set up SAML 2.0 SSO for your organization’s Insights site, you must log into Insights with a user account that has the Owner role (the user who created the organization).

        To set up SAML 2.0 SSO in Insights:

        1. Install and set up the PingFederate server in accordance with Ping Identity’s instructions, and configure it for Insights as explained above.
        2. Log into Insights with a user account that has the Owner role.
        3. In the Insights screen, in the upper-right corner, select your user name. A dropdown menu opens.

        360000980798777777777777777777.png

        Select your user name to open the dropdown menu
        3600009808187777777777777777777.png
        Dropdown menu open

        Note
        If the user account with which you are logged into Insights does not have the Owner role, the Single Sign-On (SAML) option does not appear in this menu.
        1. In the menu, select Settings , and then select Single Sign-On (SAML) . The Single Sign-On (SAML) Settings dialog box opens.

        36000098083877777777777777777777.png

        Single Sign-On dialog box

        1. At the upper-left of the dialog box, select theEnable SAML (SSO) Authentication The required fields become available.
        2. Copy the following values from the Ping configuration and enter them into the fields of the same names in theSingle Sign-On (SAML) Settings dialog box:

        Value in Ping

        Field In Insights SSO Settings

        Description

        X.509 Certificate

        X.509 Certificate

        The signing key of the SAML IdP, including the keywords -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

        Assertion URL

        SSO Application Endpoint

        The URL for logging into the IdP

        Virtual Server IDs

        Virtual Server IDs

        The virtual server IDs configured in the IdP’s connection identifier

        The Save button becomes active.

        360000994017777777777777777777777.png

        Required fields filled in

        1. Copy the value that appears under Assertion URL to the Endpoint URL setting in the Ping configuration. (This is the URL to which the IdP should respond to queries from Insights.)
        2. Select Save. SAML 2.0 SSO is implemented throughout the organization. Users in your organization should access Insights through the URL that appears under Service Provider Login URL.
        Note
        Links in the ControlUp Console that would normally open Insights will no longer work from this point on. Beginning with Console version 7.3, after the user’s next login, these links will appear in the Console as disabled.

        Configure Insights to support Azure AD SAML

        Prerequisites:

        • Must have an Azure Enterprise account
        • Azure AD must be configured
        • Must have the necessary permissions to create the application
        • We assert the UPN and must match what Azure presents. See note at the bottom.

        Preparation on Azure AD

        1. Create an enterprise application.

        4403304210961ScreenShot2021-06-23at105509AM1.png

        Azure AD - App Creation Screenshot

        1. After entering a name of your choosing in the “Create your own application” menu, select the third radio button option (#2 in the screenshot above): “Integrate any other app…”

        2. Click Create.

        3. Review the app you’ve just created.

        4403310264337ScreenShot2021-06-30at91140AM1.png

        Azure AD - All Applications Menu

        Assignment Option

        Assign Users and GroupsIn the properties Management tab, set ‘User Assignment required?’ to NO.
        Assign Users and Groups
        Set User Assignment Required to NO

        Side-by-side with comments - (Azure console and Insights settings)

        See the annotated screenshot below to understand what information comes from the Insights Settings UI, and which comes from the Azure AD settings (note arrow direction).
        4403304218769ScreenShot2021-06-23at13531PM.png

        Side-by-Side Comparison of Azure Console and Insights Settings Page

        IMPORTANT NOTES

        1. Replace whitespaces for the Sign on URL with "%20". This is required when your ControlUp organization contains whitespaces.

        2. Additionally, note that we assert the UPN and must match what Azure presents.

        We require the NameID attribute with the UPN value of the user. For example:

        <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">The user Marcel created</NameID>

        Finally, the Identifier (Entity ID) in the basic SAML config is not listed on the Insights side. Use: urn:componentspace:ControlupInsights

        Possible Errors

        User not authorized in Azure to use the Enterprise app - (Error AADSTS50105)

        4403310273809ScreenShot2021-06-30at91235AM.png User not authorized in Azure to use the Enterprise app - Error Screenshot

        URN not configured - (Error AADSTS700016)

        4403304233745ScreenShot2021-06-30at91244AM.png

        URN not configured - Error Screenshot

        Managing Single Sign-On Settings

        Once SAML 2.0 SSO is enabled in your organization, modifications to the SAML 2.0 SSO settings, and disabling of the feature, can only be performed by the ControlUp user with the Owner role. In order to do so, the Owner must access Insights from its original URL (https://insights.controlup.com/), using the username and password under which the SAML 2.0 SSO settings were last configured.

        Note
        If you need to change the SAML 2.0 SSO settings, but you cannot log into the original Owner user account for some reason, contact ControlUp support.

        To modify the SAML 2.0 SSO Settings in Insights:

        1. Log into Insights at its original URL, and open the Single Sign-On (SAML) Settings dialog box as explained above.
        2. Modify the values as required.
        3. Click Save.

        To disable SAML 2.0 SSO in Insights:

        1. Log into Insights at its original URL, and open the Single Sign-On (SAML) Settings dialog box as explained above.
        2. Clear the Enable SAML (SSO) Authentication.
        3. Click Save.

        Was this article helpful?
        What's Next