Cyara Supports authentication in the 3rd party identity providers using SAML 2.0 Single Sign-On. This feature was implemented to improve security in highly regulated environments of Cyara customers, such as large financial institutions, healthcare providers, and others.
Prerequisites
Cyara follows security best practices and has several requirements.
- Identity provider initiated SSO: The only one that is supported currently. Service provider-initiated SSO is not supported.
- Identity Provider URL: Identity Provider issuer of the security token.
- Single Sign-On URL: URL provided by the Identity Provider allowing users to login to the Portal using SSO.
- Security Certificates: Cyara doesn’t allow self-signed certificates. Self-signed certificates do not provide an acceptable level of security in corporate environments. Each security certificate should be issued by one of several official authorities.
- Metadata: Cyara supports XML metadata export or metadata URL. Metadata must have the same certificate and the same entity ID as defined in the Identity Provider URL. Even one symbol difference will make integration inoperable.
When all the details are received, Cyara can provide the Assertion Consumer Service URL (ACS) and Service Provider Entity URL back to the client.
Creating Identity Provider in Cyara
To create the new Identity Provider in the Cyara Portal, you need to have Platform Administrator privileges.
- From the Portal home page, go to Administration -> Platform Management -> Identity Providers.
- Click Create Provider.
- Set the Provider Type to SAML (the only currently supported).
- In the Provider field, enter the Provider ID name.
Note: No spaces allowed
- In the Name field, enter a nickname for the provider to be displayed in the Cyara configuration.
- Fill out the Identity Provider URL and Single Sign-On URL details.
- For the Metadata, insert either Metadata URL (if it is accessible over the internet), or Metadata XML export
The certificate should be displayed as follows:
-----BEGIN CERTIFICATE-----
SECURITY CERTIFICATE
-----END CERTIFICATE-----
Note: Single string certificates are also supported.
An example is shown in the picture below:
- Scroll to the top of the page and pull the Enable/Disable slider to enable the newly created provider.
- Scroll to the end of the page and click Create.
Cyara verifies SAML SSO with OKTA and Microsoft Azure ADFS, however, other implementations are supported as well. As long as Identity Provider is SAML 2.0 compliant, Cyara will work with it.
Configuring Azure ADFS
This section provides a sample configuration example for the Microsoft Azure ADFS environment.
- On the Azure Portal, create a new Enterprise Application. For information, see
- Click Single sign-on and complete the required fields.
- Fill in the Entity ID and Reply Url from the fields provided in the Portal Identity Provider setup screen in the Portal. Ensure the Unique User Identifier (name identifier) is set to the user's email address (default).
- Download the Certificate (Base64) and the Federation Metadata XML and update the Identity Provider details on the Cyara Portal.
- Click on the application Properties for the application and ensure the Enabled for users to sign in? is set to Yes.
- Capture the User access URL and update the Single Sign-On URL in the Cyara Portal Identity Provider screen.
To test, open a new browser and navigate to the URL defined in the Single Sign-On URL field.
Configuring OKTA SSO
- In the Okta settings, create an Application.
- Specify the Cyara ACS in the SSO URL and Recipient URL.
- Audience Restriction must have Cyara SP Entity as a value.
- In the Sign On tab, specify the Identity Provider, Single Sign-On URL, Metadata and the Certificate for the Cyara configuration.
User configuration in Okta is similar to the configuration in MS ADFS.
SAML Response Common Issues
Starting with Release 22.5, Cyara upgraded its identity to version ID6, which set several rules for Identity Providers:
- No self-signed certificates. Self-signed certificates will no longer be accepted by Cyara
- SAML Response must contain the Destination tag with the value of the Cyara ACS. Example: https://demo.cyara.com/cyarawebidentity/identity/TestProvider
Here is how it looks in the SAML Response:
<samlp:Response ID="_d75c3822-60ff-48b9-bd25-b3049eabc625"Version="2.0"IssueInstant="2022-10-05T15:37:04.838Z"
Destination="https://demo.cyara.com/cyarawebidentity/identity/TestProvider/Acs" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
Note: If the Destination tag is absent in the SAML Response, then Cyara will throw the following exception:
2022-10-05 13:50:56.067Z ERROR [.NET ThreadPool Worker] Diagnostics.ExceptionHandlerMiddleware - An unhandled exception has occurred while executing the request. TraceId:00-034f84eb817b75d4624fa6e29045ec87-60e1d09e220df547-00 {\"Type\":\"System.Exception\",\"Message\":\"Exception: An error was encountered while handling the remote login. >> Exception: SAMLResponse is missing Destination\",\"StackTrace\":\" at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()\
at Rsk.AspNetCore.Authentication.Saml2p.Saml2pAuthenticationHandler.HandleRequestAsync()\
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 52\
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 48\
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 28\
at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)\
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)\"}"
SAML Response must contain an Audience tag with the value of the Cyara Service provider Entity ID.
<AudienceRestriction>
<Audience>https://demo.cyara.com/cyarawebidentity/identity/TestProvider</Audience>
</AudienceRestriction>
Note: If the Audience tag is absent Cyara Identity will generate the following exception:
{"timestamp":1665075340361,"message":"2022-10-06 16:55:40.361Z ERROR [.NET ThreadPool Worker] Diagnostics.ExceptionHandlerMiddleware - An unhandled exception has occurred while executing the request.
TraceId:00-87e967dcb75573c07974280804cdbe8f-6a1913858a6768cf-00 {\"Type\":\"System.Exception\",\"Message\":\"Exception: An error was encountered while handling the remote login. >>
Exception: SAMLResponse contains incorrect audience restriction\",\"StackTrace\":\"
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()\\n
at Rsk.AspNetCore.Authentication.Saml2p.Saml2pAuthenticationHandler.HandleRequestAsync()\\n
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 52\\n
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\\n
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 48\\n
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 28\\n
at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)\\n
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Tasktask)\"}","requ
Comments
0 comments
Please sign in to leave a comment.