For more information and configuration regarding Single sign-on in Security Center, read this article:
Create a single sign-on application in Azure
On the Azure Portal, navigate to:
- Azure Active Directory
- Enterprise Applications
- New Application
- Select the Non-Gallery application (within the new tile)
Provide a name to the application and click on Add.
Configure single sign-on in Security Center
Here you will need both the Azure portal Single sign-on and the Security center Single sign-on.
- Navigate to the newly created Azure application and click on Single sign-on (Enkel inloggning in Swedish) in the left panel.
- Login to your Security Center account-->Settings-->Single sign-on.
- Scroll down to the section IDP SAML Certificate and choose Manual.
- Copy the Login URL from your SSO APP and Paste it into the IDP login URL in the Security Center.
- Copy the Azure AD Identifier URL from your SSO APP and paste it into the
IDP entity ID/metadata URL in the Security Center.
- Click Download on the Certificate (Base64), open the certificate with a text editor, copy the whole parameter and Paste it into the IDP Certificate in the Security Center.
Encrypt Assertion elementin the Security Center.
- Click on Save in the Security Center
Configure Single sign-on in Azure
From Holm Security, copy the Single sign-on data from within your account in Security Center. You can find out what fields to use here: How do I set up Single sign-on?
Fill in the copied data to the section in Azure named Basic SAML Configuration.
Note: the red zone in the below image contains the unique token strings
Navigate back to the application overview and click on the edit button for the SAML Signing Certificate section:
Ensure that the configuration algorithm and options match these values exactly:
- Signing Option = Sign SAML response and assertion
- Signing Algorithm =SHA-256 or SHA-1
In the section User Attributes & Claims it is configured how attributes from the user are mapped to the user inside of the Security Center. Read more here: Single sign-on user attribute mapping
The below fields are mandatory, and the default values are normally enough (red-marked in the image):
- Unique User Identifier (also referred to as NameID)
Finally you can add the users or groups that should have access to Security Center, via this SSO app, by navigating to Users and groups in the left panel menu:
Configure mapping of roles
By default a user will be of the lowest privileged role User inside of Security Center. To assign a Superuser role to the user you can use Azure roles together with attribute mapping.
Navigate to the section User Attributes & Claims and press on the edit action at the top right corner.
Select Add new claim and enter the following information as a minimum:
- Name = userrole
- Namespace = http://schemas.microsoft.com/ws/2008/06/identity/claims/role
- Source attribute = user.assignedroles
Proceed by pressing Save.
This will allow you to assign the appropriate role to the users who should be mapped in to being a Superuser inside of Security Center.
The supported role name (value) for the userrole attribute can be found here: User attribute mapping
The recommended approach is to create a new unique role inside of Azure AD using the supported names. This role can then be assigned on the users who should have the Superuser role inside of Security Center.