Configuring Authentication

Stellar Cyber supports Local or SSO authentication. With local authentication, you log in directly to Stellar Cyber and user credentials are managed locally by Stellar Cyber. For either authentication model, you specify whether two factor authentication (2FA) is Off, Optional, or Mandatory. Use the procedures in this section as a guide for setting up your Stellar Cyber global authentication strategy.

• Configuring Local Authentication

• Configuring SSO Authentication

Be sure to review the login behavior that can vary by tenant, as of v4.3.4

Configuring Local Authentication

If you select Local authentication, you may still opt to configure two factor authentication, which allows you to set whether 2FA is required at all, or optionally specify 2FA being required at the user/tenant level.

You can override the global authentication settings on a per tenant basis. Refer to Managing Tenants

1. In Stellar Cyber, click System | Administration | Settings.

2. Scroll down to the Authentication Settings.

3. Choose Local in the Authentication Method drop-down.

4. Choose a 2FA method.

   • Off: If you choose this option, Stellar Cyber user accounts are not offered a 2FA option.

   • Mandatory: If you choose this option, all users for every tenant are required to use 2FA when logging in to Stellar Cyber.

   • Optional: If you choose this option:

     • The 2FA option can be customized for individual tenants under System | Administration | Tenants

     • Individual users can choose to enable 2FA under their User Profile, accessed from the top menu of the Stellar Cyber UI.

     • You can enforce 2FA for specific users under System | Administration | Users when adding or editing a user

   • The overall Global Settings for 2FA affect tenant-specific authentication. For example, if 2FA is Mandatory, all users must use 2FA.

   • Enabling 2FA here is independent of what you have configured on your SSO service. Enabling it here causes a separate 2FA prompt to be displayed upon logging in to Stellar Cyber.

   • The 2FA page from Stellar Cyber refers to use of Google Authenticator, but other authenticator applications also work.

Configuring SSO Authentication

SSO authentication logs you in to Stellar Cyber automatically, using the IdP provider you configured. The first time you log in, your SSO login appears. After you log in to your SSO service, the SSO automatically logs you in to Stellar Cyber the next time you access the page (assuming you are logged in to the SSO service). To log out of Stellar Cyber, log out of your SSO.

You can override the global authentication settings on a per tenant basis. Refer to Managing Tenants

Configure your IDP

Stellar Cyber supports several IdPs using SAML 2.0. Stellar Cyber supports use of an IdP for Authentication as well as Authentication and Authorization.

• ADFS

• Azure Active Directory

• Azure AD B2C

• Google

• NetIQ

• Okta

• OneLogin

Use either the general procedure for integrating Stellar Cyber with your IdP, or one of the following detailed procedures, before you configure your Stellar Cyber SSO authentication.

• General IdP Integration

• Azure AD SSO Integration

• Okta SSO Integration

• Azure AD B2C SSO Integration

Enable Users

• For Authentication Only SSO: All users must first be added manually in the data processor (DP). Subsequent to that manual entry, the user can log in with SSO. Use the list of User Principal Names that you saved.

• For Authentication & Authorization SSO: All users are configured through the IdP.

• You enable SSO for all users except the root admin user. The root admin user must always use local authentication (https://Stellar Cyber DP address/login).

• For Local access (bypass) when SSO is enabled: If Stellar Cyber loses connectivity with your IdP, users configured for SSO cannot log in. As a preventive bypass method, manually create a new user in the DP with root scope and with a valid email address that has "+admin" appended to a valid user name, as follows:  <user>+admin@yourorganization.com (joe+admin@yourorganization.com). The user you create must be able to receive a password reset email at <user>@yourorganization.com. This process an email alias for that valid user that Stellar Cyber uses to permit bypass of an SSO for local login. After you create this separate manual user account, that user can log in two ways:

  • an SSO user with <user>@yourorganization.com

  • or as a local user at https://Stellar Cyber DP address/login) using <user>+admin@yourorganization.com

  If SSO is configured, it is recommended to keep an active administrative account in Stellar Cyber's user management.

Enabling SSO Globally

A general procedure to configure SSO authentication in Stellar Cyber is provided here:

1. Log in to Stellar Cyber.

2. Click System | Administration | Settings.

3. Scroll down to the Authentication Settings.

4. Choose SSO (SAML) in the Authentication Method drop-down.

5. Choose Metadata URL or Manual Config:

   • If you selected Manual Config:

     1. Enter the Issuer URL. This is your Stellar Cyber IP address or FQDN. You must include http:// or https:// in the Issuer URL field.

     2. Enter the Entry Point. This is the URL you noted during your IDP setup steps. For example:

        In Azure AD, it's the Identifier (Entity ID)

        In OKTA, it's the Identity Provider Single Sign-On URL

     3. Upload the IDP Certificate you obtained during your IDP setup steps.

   • If you selected Metadata URL enter the Metadata URL from your IDP provider.

6. Select Allow Clock Skew to allow for system time differences between Stellar Cyber and your IdP. Authentication messages have an expiration. If the system times on Stellar Cyber and your IdP are not synchronized, the messages might expire before they even get to Stellar Cyber. The result is that users cannot log in, because they cannot authenticate.

7. Choose your IdP setting: Authentication Only or Authentication and Authorization. (Global configurations only, not applicable to Tenant-specific configuration). Note the following:

   • A Global selection of Authentication and Authorization applies to all users, so the option to change authentication method for a specific tenant is not applicable when the Global method is set to Authentication and Authorization. You can not log in to Tenant SSO when Global SSO is set to Authentication and Authorization. If you want to use SSO but also allow local users and tenant override, you must set the Global authentication method either to Local or to use the IdP with Authentication Only.

   • Although you can customize SSO configuration on a per-tenant basis, the Authorization capability is only supported at the global level. Overrides you make at the tenant level are for Authentication only, so the toggle for Authentication and Authorization is not offered in the Tenant editor.

   • The Root Tenant must be configured to use either Default (same method as the Global authentication), or Local. It is not supported for configuration with an independent SSO.

   • Choose Authentication Only for Stellar Cyber to authenticate users from your IdP, but manage scope and privilege locally. If you choose this, you must create the user in Stellar Cyber before adding them to your IdP.

   • Choose Authentication and Authorization for Stellar Cyber to authenticate users from your IdP, along with their scope and level of privilege. You must configure authorization on your IdP before enabling this, otherwise users cannot log in. If you choose this, you do not need to create the user in Stellar Cyber. Stellar Cyber creates the user and assigns scope and privilege based on the information passed from the IdP.

     When Global Settings is configured for BOTH Authentication & Authorization, the option to Create new users manually is hidden because new users MUST come from the IdP source.

8. Choose a Two-Factor Authentication to the option that matches your IdP configuration:

   • Off: If you choose this option, Stellar Cyber user accounts are not offered a 2FA option.

   • Mandatory: If you choose this option, all users for every tenant are required to use 2FA when logging in to Stellar Cyber.

   • Optional: If you choose this option:

     • The 2FA option can be customized for individual tenants under System | Administration | Tenants

     • Individual users can choose to enable 2FA under their User Profile, accessed from the top menu of the Stellar Cyber UI.

     • You can enforce 2FA for specific users under System | Administration | Users when adding or editing a user

     • The overall Global Settings for 2FA affect tenant-specific authentication. For example, if 2FA is Mandatory, all users must use 2FA.

     • Enabling 2FA here is independent of what you have configured on your SSO service. Enabling it here causes a separate 2FA prompt to be displayed upon logging in to Stellar Cyber.

     • The 2FA page from Stellar Cyber refers to use of Google Authenticator, but other authenticator applications also work.

9. Review your settings, then click Submit.

Stellar Cyber logs all users out (including you) and restarts. When it restarts, it begins using SSO.

If Stellar Cyber loses connectivity with your IdP, users cannot log in. However, the root admin user must always authenticate locally, so can log in from https://your.Stellar Cyber.address/login.