Integrating with an IdP
You configure your IdP to provide authentication and, optionally, authorization via SSO to Stellar Cyber. The authorization defines the scope and privilege assigned to each user. General steps to configure authorization (the exact steps vary based on your IdP):
-
Log in to your IdP.
-
Configure the SAML Assertion URL (different IdP vendors use different terms for this URL) to:
https://your.Stellar Cyber.address/saml/login/callback-
A Global selection of Authentication and Authorization applies to all users, so the option to change authentication method for a specific tenant is not applicable when the Global method is set to Authentication and Authorization. You can not log in to Tenant SSO when Global SSO is set to Authentication and Authorization. If you want to use SSO but also allow local users and tenant override, you must set the Global authentication method either to Local or to use the IdP with Authentication Only.
-
When you configure SSO on a per-tenant basis, you MUST modify the Single Sign-on URL (and Audience URL, if applicable) to use a customer ID, otherwise the callback applies to all of the Stellar Cyber DP not just the tenant. The ID you use can be for a single tenant. Most IdPs support the following syntax:
-
https://your.Stellar Cyber.address/sso/saml/metdata/cust_id/
<tenant id>
(This syntax is required for Azure AD B2C SSO configuration)
Example:https://10.33.2.5/
sso/saml/metdata/cust_id/
59125044
-
https://your.Stellar Cyber.address/saml/login/callback
?cust_id=<tenant id>
Example:https://10.33.2.5/saml/login/callback
?cust_id=59125044
-
-
-
Edit the user and add the applicable attributes and assign the appropriate value:
Custom Attribute Values Global SSO Tenant-specific SSO
stellar_scope
root
partner
tenant
Required for Authorization
Not applicable
stellar_privilege
super_admin
platform_admin
security_admin
user
Required for Authorization
stellar_tenant
ID number for configured tenant (Optional) Specify an individual tenant ID, not name. The ID is available on the Tenants List page.
stellar_tenant_group
ID number for any configured tenant group (Optional) Specify a tenant group ID, not name. This is typically applicable for use by MSSP users with the Partner role. The Tenant Group ID is available on the Tenant Groups page.
-
Values in these fields are case sensitive and syntax matters. Use the exact indicated syntax and verify that you have made no typos
-
If you have created a custom privilege with spaces or dashes, use an underscore instead. Example: A custom privilege of STML-Security Admin must be entered as
STML_Security_Admin
.
-
- Save your changes.
For specifics on adding attributes to a user see the SSO topic for your IdP: