Learn how to integrate SAML 2.0 compliant Identity Providers (IdP) like Okta and PingIdentity with Cipherscale. Follow our step-by-step guide to configure SP metadata, attribute mapping, and Zero Trust group matching for secure, unified access.
Cipherscale provides unified, secure access to private applications, the internet, and SaaS environments using a Zero Trust Network Access (ZTNA) model. A core component of this model is verifying user identity. While Cipherscale offers native OIDC support for Google and Microsoft, it also supports Federated Single Sign-On (SSO) via any SAML 2.0 compliant Identity Provider (IdP).
Key Terms:
-
Identity Provider (IdP): The external system (e.g., Okta, PingIdentity) that stores your user identities and authenticates them.
-
Service Provider (SP): In this context, Cipherscale is the SP that relies on the IdP to authenticate users before granting network access.
-
SAML (Security Assertion Markup Language): The standard protocol used to exchange authentication and authorization data between the IdP and Cipherscale.
Important Note on Authentication: Cipherscale supports Multi-Auth, meaning multiple authentication methods (like Google OIDC and SAML) can be active simultaneously, allowing users to choose their preferred available method to sign in.
To begin the integration, you must first extract Cipherscale's metadata to configure your IdP.
-
Sign in to your Cipherscale space administration portal.
-
Navigate to Settings in the left navigation panel, and select the Authentication tab.
-
Click on Configure SAML.
-
Locate the Configure your IdP using the following Cipherscale Metadata section. Here you will find the required information to set up Cipherscale as a Service Provider (SP) in your IdP:
-
Protocol
-
SP Authentication URL
-
Valid Redirect URI
-
Entity ID
-
Issuer Name.
-
-
Alternative: If your IdP accepts a metadata file for automated configuration, click Download Metadata to save the XML file to your local machine.
Switch to your IdP's administration console to register Cipherscale as an application.
-
Create a new SAML 2.0 application in your IdP.
-
Input the Cipherscale SP details gathered in Phase 1 (URLs, URIs, and Issuer Name) or upload the downloaded Metadata XML file.
-
Configure the IdP to send specific user attributes upon successful login. Ensure the IdP is configured to pass values that will map to Cipherscale's required user properties: Group, Email, Firstname, and Lastname.
-
Once the Cipherscale app is created in the IdP, obtain the IdP's metadata (either as a URL, an XML file, or manually grab the Authentication Endpoint and X.509 Public Certificate) to bring back to Cipherscale.
Return to the Cipherscale Administration portal (Settings > Authentication > Configure SAML) to input the IdP's details and customize the connection.
1. Identity Provider Metadata:
-
Enter a name for your IdP in the IdP Name field.
-
Provide the IdP metadata using one of three methods: pasting a Metadata URL, pasting Metadata XML, or selecting Manual Configuration to manually input the IdP Authentication Endpoint and paste the IdP X.509 Public Certificate.
-
(Optional) In the SAML Sign In Button Text, customize the label of the authentication button displayed to users on the Cipherscale sign-in page.
2. Connection Settings:
-
Select the Data Binding Method: Choose either POST or REDIRECT.
-
Adjust the Maximum Authentication Lifetime if your security policies require it.
-
(Optional) Enter a Logout URL.
-
In the Reconnecting to Cipherscale section, configure whether an existing session with the IdP should be reused or if a completely new session should be forced.
3. Restricting Allowed Authentication Methods (AuthnContexts): You can strictly control how users authenticate at the IdP (e.g., forcing them to use a certificate instead of a password).
-
In the AuthnContexts to include in the AuthNRequest section, select one or more allowed authentication types from the drop-down: PasswordProtectedTransport, X509, Passwordless, Kerberos, or TLSClient.
-
You can also click + Add custom value if your IdP uses a proprietary context value.
Proper mapping ensures that Cipherscale correctly identifies the user and applies the correct Zero Trust access policies based on their group membership.
1. User Attribute Mapping In this section, you must type the exact attribute names defined in your IdP that correspond to Cipherscale's internal values for a User’s Group, Firstname, and Lastname.
2. Understanding Group Matching Cipherscale Groups are crucial for defining Access Policies. Cipherscale's SAML integration is highly flexible regarding group relationships:
-
Many-to-One: Multiple IdP groups can be mapped to a single Cipherscale group.
-
One-to-Many: Through attribute mapping rules, the same IdP group can match multiple different Cipherscale groups simultaneously.
3. Configuring Group Mapping Rules
-
In the User group mapping rules section, define rules to map the exact string value sent in the SAML IdP group attribute to the corresponding Cipherscale group.
-
Unmapped Groups: In the Unmapped SAML IdP user groups section, select a default Cipherscale group. Any user who logs in with an IdP group that does not match any of your mapping rules will be automatically assigned to this default group.
-
Automated Syncing: If you want Cipherscale to automatically update a user's group memberships based on these mapping rules every time they sign in, instead of only once during initial sign in, toggle the User group sync from IdP switch to Enabled.
Finalizing and Enabling
-
Click Save SAML Configuration. Cipherscale will attempt to validate the metadata provided. If successful, you will be returned to the Authentication tab.
-
Finally, locate Single Sign On (SAML) in the list of authentication methods and toggle the switch to ON to activate the integration.
Comments
0 comments
Article is closed for comments.