Single Sign-On

CloudHunter supports SSO based on SAML 2.0. SSO helps reduce administrative the administrative overhead of managing multiple authentication tokens for each of your users. When SSO is disabled, users have local credentials that are managed in CloudHunter. When SSO is enabled, users with accounts in CloudHunter can use their SSO credentials to logon to CloudHunter. CloudHunter users may be configured to have both – SSO and local – types of authentication enabled to allow users to fallback to local credentials if there is a problem with SSO provider. We recommend at least one user retain built-in credentials when SSO is enabled.

Glossary

Identity Provider (IdP) The application that provides authentication assertions (your SSO provider)
Local Credentials Credentials managed locally in CloudHunter that allow authentication if there is a problem with the SSO provider
Service Provider (SP) The application that receives the authentication assertions (CloudHunter)
Single Sign-On (SSO) A service that enables a user to use one set of credentials to access multiple applications

Prerequisites

  • Existing SAML 2.0 infrastructure
  • Users provisioned in the SSO identity provider app with the same email as users in CloudHunter
  • Users provisioned in CloudHunter with their permissions configured appropriately.

Logging In

CloudHunter supports Identity Provider (IdP)-initiated flow and Service Provider (SP)-initiated flow. For IpP-initiated flow:

  • Log into your SSO provider’s login page.
  • Select the CloudHunter app.

For SP-initiated flow:

  • Browse to https://yourinstance.hs.siftsec.com.
  • You will be automatically redirected to your SSO provider’s login page.
  • Login to your your SSO provider.
  • You will be automatically redirected back to CloudHunter.

For local login:

Configuration

CloudHunter administrators can configure SSO in the “SSO” tab under “System Configuration”. SSO configuration requires the following information:

  • IDP Domain - The domain of your SSO provider, such as my.identityprovider.com
  • SAML Protocol URL - The URL provided by your SSO provider for this application, such as https://my.identityprovider.com/login/appid.
  • SAML Logout URL - The URL provided by your SSO provider for this application, such as https://my.identityprovider.com/logout/appid.
  • Certificate - The X.509 certificate provided by your SSO provider for this application, such as
-----BEGIN CERTIFICATE-----
YOURCERTIFICATECONTENT
-----END CERTIFICATE-----

In your SSO provider’s interface, you must configure:

  • Callback URL - The URL of you be redirected to after authentication, such as https://yourinstance.hs.siftsec.com/login/callback.

The specific naming of the fields differ among SSO providers. Please refer to your SSO provider’s documentation for specifics. For convenience, detailed instructions for popular SSO providers are listed below.

ADFS

Configure AD FS by opening “AD FS Management”:

  • Navigate to “AD FS” -> “Trust Relationships” -> “Relaying Party Trusts”.
  • Click “Add Relaying Party Trust…”
  • Step through the wizard. When prompted, enter the following values. For all other prompts, use the default values.
  • Under “Select Data Source” select “Enter data about the relaying party manually”
  • Under “Specify Display Name” enter “CloudHunter”
  • Under “Choose Profile” select “AD FS profile”
  • Under “Configure URL” select “Enable support for the SAML 2.0 WebSSO protocol”. Enter https://yourinstance.hs.siftsec.com/login/callback as the URL
  • Under “Configure Identifiers” add a new identifier sift-saml

When you are finished setting up the Relaying Party Trust, the “Edit Claim Rules” dialog should open automatically. There are two rules that need to be configured under “Issuance Transform Rules”. The first rule determines what attributes need to be sent in the claims:

  • Under “Choose Rule Type” select “Send LDAP Attributes as Claims”.
  • Under “Configure Claim Rule” enter the following:
Claim rule name LDAP Email
Attribute store Active Directory
LDAP Attribute E-Mail-Addresses
Outgoing Claim Type E-Mail Address

The second rule transforms incoming claims.

  • Under “Choose Rule Type” select “Transform an Incoming Claim”
  • Under “Configure Claim Rule” enter the following:
Claim rule name Email Transform
Incoming claim type E-Mail Address
Outgoing claim type Name ID
Outgoing name ID Format Email
Pass through all claim values Selected

At this stage, your ADFS instance should be ready to receive authentication requests from CloudHunter. Complete the setup by identifying the values to enter into CloudHunter:

  • Before continuing, identify the hostname of your ADFS server. Enter this as your IDP Domain in CloudHunter.
  • Navigate to “AD FS” -> “Service” -> “Endpoints”.
  • Identify an endpoint of type SAML 2.0/WS-Federation and note the URL Path. By default, this is /adfs/ls/. Form the SAML Protocol URL by combining the hostname of your ADFS server with this endpoint. For example, https://adfs.yourdomain.com/adfs/ls
  • Navigate to “AD FS” -> “Certificates” and select your Token-Signing certificate.
  • Double click the certificate.
  • Navigate to the “Details” tab and click “Copy to File…”
  • When prompted, select “Base-64 encoded X.509”
  • Use the contents of the exported certificate file as Certificate

Auth0

  • Login to the Auth0 management dashboard.
  • Navigate to “Applications” -> “Create Application”
  • Name the application “CloudHunter”
  • Select “Single Page Web Applications”
  • Click “Create”
  • Navigate to the “Settings” tab and configure the following:
Allowed Callback URLs https://yourinstance.hs.siftsec.com/login/callback
Allowed Web Origins https://yourinstance.hs.siftsec.com/login/callback
  • Copy “Domain” to use as IDP Domain
  • Under “Advanced Settings” -> “Certificates” copy the “Signing Certificate” to use as Certificate
  • Under “Advanced Settings” -> “Endpoints” copy “SAML Protocol URL” to use as SAML Protocol URL

Centrify

  • Login to the Centrify dashboard
  • Navigate to “Apps” -> “Add Web Apps” -> “Custom” -> “SAML”
  • Under “Settings”, configure the following:
Name CloudHunter
  • Under “Trust” -> “Identity Provider Configuration” -> “Manual Configuration”, copy the Single Sign on URL. This will be the SAML Protocol URL. The domain name of this address will be the IDP Domain.
  • The SAML Logout URL is not provided directly by Centrify. The logout URL uses the same IDP Domain as the SAML Protocol URL. An example would be, SAML Protocol URL => https://top9.centrify.com/applogin/appKey/610db5ge-3f81-49f2-9d4d-51fcd7f21be3/customerId/DDX0332, then SAML Logout URL => https://top9.centrify.com/logout
  • Download the signing certificate and paste its contents in CloudHunter as Certificate
  • Under “Trust” -> “Service Provider Configuration” -> “Manual Configuration” fill in the following details.
SP Entity ID / Issuer / Audience https://yourinstance.hs.siftsec.com/login/callback
Assertion Consumer Service (ACS) URL https://yourinstance.hs.siftsec.com/login/callback
Sign Response or Assertion? Assertion
NameID Format emailAddress

Duo

Duo requires two distinct steps. First, setup the application in Duo Access, then import the application in Duo Access Gateway.

Setup the application

  • Login to the Duo Access dashboard
  • Navigate to “Applications” -> “Protect an Application”
  • Search for “SAML - Service Provider”
  • Select “Protect this application”
  • Fill in the following details
Service provider name CloudHunter
Entity ID CloudHunter
Assertion Consumer Service https://yourinstance.hs.siftsec.com/login/callback
NameID format emailAddress
NameID attribute email
Send attributes NameID
  • Customize any other details according to your organizational needs
  • Save changes
  • Download your configuration file

Note

You may have to change the NameID attribute to whichever attribute your organization uses to store email addresses in your user directory.

Configure the Gateway

  • Log into your Duo Access Gateway
  • Navigate to “Applications”
  • Upload the configuration file from the previous step
  • Next to the name of the application, you will see a Login URL. This is the SAML Protocol URL and the domain name is the IDP Domain you need to enter into CloudHunter.
  • Download the certificate and paste its contents into CloudHunter as the Certificate.

PingOne

  • Login to the PingOne admin dashboard
  • Navigate to “Applications” -> “Add Application” -> “New SAML Application”
  • Fill in the following details on page 1
Application Name CloudHunter
Application Description CloudHunter
Category Information Technology
  • Fill in the following details on page 2
Protocol Version SAML 2.0
Assertion Consumer Service (ACS) https://yourinstance.hs.siftsec.com/login/callback
Entity ID sift-saml
Application URL https://yourinstance.hs.siftsec.com/login/callback
  • Click thru to “Review Setup”
  • Download the signing certificate and paste its contents in CloudHunter as Certificate
  • Note the idpid value, which will look like 01234567-89ab-cdef-0123-456789abcdef
  • For SAML Protocol URL, use https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=01234567-89ab-cdef-0123-456789abcdef, substituting your idpid
  • For SAML Logout URL, use https://sso.connect.pingidentity.com/sso/SLO.saml2
  • For IDP Domain, use sso.connect.pingidentity.com