Integrating with an IdP

You can configure your IdP to provide authentication and, optionally, authorization via SSO to Stellar Cyber. The authorization defines the scope and privilege assigned to each user. General steps to configure authorization (the exact steps vary based on your IdP):

  1. Log in to your IdP.

  2. Configure the SAML Assertion URL (different IdP vendors use different terms for this URL):
    https://your.Stellar Cyber.address/saml/login/callback

    • A Global selection of Authentication and Authorization applies to all users (root, partner, and tenant), so the option to change authentication method for a specific tenant is not applicable when the Global method is set to Authentication and Authorization. You cannot log in to Tenant SSO when Global SSO is set to Authentication and Authorization. If you want to use SSO but also allow local users and tenant override, you must set the Global authentication method either to Local or to use the IdP with Authentication Only.

    • When you configure SSO on a per-tenant basis, you MUST modify the Single Sign-on URL (and Audience URL, if applicable) to use a customer ID, otherwise the callback applies to the entire Stellar CyberPlatform not just the tenant. The ID you use is for a single tenant. Most IdPs support the following syntax:

      • https://your.Stellar Cyber.address/sso/saml/metdata/cust_id/<tenant id>   (This syntax is required for Azure AD B2C SSO configuration)
         Examplehttps://10.33.2.5/sso/saml/metdata/cust_id/59125044

      • https://your.Stellar Cyber.address/saml/login/callback?cust_id=<tenant id>
         Examplehttps://10.33.2.5/saml/login/callback?cust_id=59125044

  3. Edit the user and add the applicable attributes and assign the appropriate value:

    Custom Attribute Values Global SSO

    Tenant-specific SSO

    stellar_scope root

    partner

    tenant

    Required for Authorization

    Not applicable

     

    stellar_privilege

    super_admin

    platform_admin

    security_admin

    user

    Required for Authorization

    stellar_tenant ID number for configured tenant

    (Optional) Specify an individual tenant ID, not name. The ID is available on the Tenants List page.

    stellar_tenant_group ID number for any configured tenant group

    (Optional) Specify a tenant group ID, not name. This is typically applicable for use by MSSP users with the Partner role. The Tenant Group ID is available on the Tenant Groups page.

    • Values in these fields are case sensitive and syntax matters. Use the exact indicated syntax and verify that you have made no typos

    • If you have created a custom privilege with spaces or dashes, use an underscore instead. Example: A custom privilege of STML-Security Admin must be entered as STML_Security_Admin.

  4. Save your changes.

For specifics on adding attributes to a user see the SSO topic for your IdP: