Secret Chest supports integrations with common single sign-on (SSO) providers. SSO is a method of authentication that allows a user to log in to multiple applications using a single set of credentials. This can be done by using a central identity provider (IdP) to authenticate users and then issuing them with tokens that can be used to access the applications.
There are several benefits to using SSO, including:
Improved user experience: SSO makes it easier for users to log in to applications, as they do not need to remember multiple sets of credentials.
Increased security: SSO can help to improve security by reducing the number of passwords that users need to remember. This can make it more difficult for attackers to gain access to user accounts.
Reduced IT costs: SSO can help to reduce IT costs by reducing the need to manage multiple user accounts.
SSO works by using a central identity provider (IdP) to authenticate users. When a user logs in to an application that supports SSO, the application redirects the user to the IdP. The IdP then authenticates the user and issues them with a token. The user then returns to the application and presents the token to the application. The application then uses the token to authenticate the user and grant them access to the application.
There are two main types of SSO:
Web SSO: Web SSO is a type of SSO that is used to authenticate users to web applications.
Directory SSO: Directory SSO is a type of SSO that is used to authenticate users to applications that are not web applications.
There are a number of popular SSO providers, which include:
Okta
OneLogin
Duo
Ping Identity
JumpCloud
Microsoft Azure Active Directory
We wrote the code from the ground up to support SSO providers, so it comes at no extra charge. Most will connect via SAML to federate identities. We use Auth0 to bridge from our login system to the various IdPs, so most should be supported. If we don't have a given field or required setting exposed in our UI, let us know and we'll get it added asap.Here are some examples of how to federate with the ones we've helped with for other tenants thus far.
Configure The Okta SAML Integration
1. Sign in to the Okta Developer Console.
2. Use the App Integration Wizard to add an application for use with Secret Chest.
3. Enter App name
4. Enter your SSO URL and Audience URI in SAML Settings.
Single Sign On URL : https://YOUR_DOMAIN/login/callback
Audience URL (SP Entity ID) : urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME
5. Click next, next, finish.
6. Now go to Sign on --> SAML Signing Certificates --> SAML Setup.
7. Click view SAML Setup instructions.
8. Copy Identity Provider Single Sign-On URL and download X.509 Certificate.
Configure the Connection In Secret Chest
1. Visit Dashboard > Authentication > Enterprise > SAMLP and click the plus icon to be redirected to go the page that allows you to create a new Connection.
2. Provide the appropriate configuration settings for this connection. The only mandatory fields are as follows:
Connection Name Connection name
Sign In URL The Identity Provider Single Sign-On URL you noted from the Okta setup wizard
X509 Signing Certificate Upload the certificate you downloaded from Okta.
3. Click SAVE. In the next window, you'll be provided two options:
A. If you are a domain administrator, you can click Continue for additional instructions on SAML Identity Provider Configuration.
B. If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.
4. If successful you should see the “It Works!” message and setup SCIM.
Configure The Azure AD SAML Integration
Task 1: Configure App In Azure AD
1. Navigate to Azure AD in the Azure Active Directory.
2. Click the button in the side menu “App Registrations”
3. In Azure AD App Registrations, create a new App Registration.
4. You should now see the App Registration screen.
Note: Don’t Choose SPA, Please Choose Web.
Redirect URI : https://saml.secretchest.io/login/callback
5. Enter the name for your application (you can change this later if you get it wrong).
6. Select “Accounts in this organizational directory only” (multi-tenant is beyond the scope of this article).
7. Configure redirect URI selecting “Web” and entering the callback URL https://saml.secretchest.io/login/callback.
8. Click “Register”.
9. You should now see the newly created app Overview screen.
10. IMPORTANT!! Copy the Application (client) ID from the overview screen of your newly created app registration, we’ll need this later.
Task 2: Create The Client Secret In Azure AD
1. Select the “Certificates & Secrets” area from the App registration side menu.
2. Click the “New client secret” button in the “Client secrets” section.
3. You should now see the Client Secret creation dialog:
4. Enter the name “Secret Chest”.
5. Select expiry “Never”.
Note: If choosing another option there will need to be a future manual intervention to create and configure the new client secret.
6. Click the “Add” button.
7. You should now see the new client secret listed in the “Client secrets” section.
Note : use value not secret id (value will appear once while creating).
8. Copy the generated client secret from the “Value” column and keep it in a safe place. If choosing another option there will need to be a future manual intervention to create and configure the new client secret. and you will need it later!
Task 3: Configure API Permissions
We need to configure access to the MS Graph API for retrieving basic user profile and directory info (some of which will find its way into Secret Chest via SCIM when the user logs in for the first time). This will be done with delegated permissions which give access to the ‘User.Read’ and ‘Directory.Read.All’ permissions.
The key steps are:
1. Start on your App registration overview screen.
2. Click the “View API Permissions” button.
3. You should now see the API permissions screen.
4. You should see that “Delegated” permission for User.Read is already configured by default. If not, follow the steps below replacing Directory.Read.All with User.Read.
5. Click “Add A Permission”.
6. You should see the “Request API Permissions” dialog.
7. Select “Microsoft Graph”.
8. You should see the following:
9. Select “Delegated Permissions”.
10. This should reveal the “Select permissions” search field.
11. In the search text field under the “Select Permissions” heading enter the text ‘Directory.Read.All’. This should result in the following results:
12. Tick the checkbox next to the “Directory.Read.All” permission. This should result in the following:
13. Click the “Add Permissions” button.
14. OPTIONAL: If we want to avoid users having to manually accept giving our application access to these permissions we could click the “Grant admin consent for YOUR_AZURE_AD_DOMAIN” button.
Task 4: Create And Configure Secret Chest For Azure
1. If you have just created the Enterprise Connection you should be looking at the connection already. If not navigate to Connections > Enterprise > Microsoft Azure AD > Your_Enterprise_Connection.
2. Click the ‘Applications’ tab below the main heading
3. Find your App in the list of Apps and enable the toggle next to it.
Task 5: Testing
The key steps are:
1. Open Connections > Enterprise > Microsoft Azure AD:
2. Click the try button.
3. You should be redirected to the Azure AD login screen
4. Login.
5. Accept the permissions request (may not be shown depending on Azure AD config for granting permissions – See Azure AD Permissions section below).
6. If successful you should see the “It Works!” message.
Configure OneLogin
1.Log in to the OneLogin Dashboard, and click Apps > Add Apps.
2. Search for SAML,and select SAML Test Connector (IdP w/attr).
3. When prompted, change the Display Name of your app.
4. Click SAVE.
5. Go to the SSO tab,and copy the values for SAML 2.0 Endpoint (HTTP) and SLO Endpoint (HTTP) .
6. Click on the View Details link at the X.509 Certificate field.
7. Download the X.509 certificate onelogin.pem.
Configure Secret Chest connection
1.Go to Dashboard > Authentication > Enterprise > SAML and click the plus icon to be redirected to the page that allows you to create a new Connection.
2. You will be prompted to provide the appropriate configuration settings for this Connection. The only mandatory fields are:
Sign In URL The SAML 2.0 Endpoint (HTTP) value you noted when setting up your OneLogin app.
Sign Out URL The SLO Endpoint (HTTP) value you noted when setting up your OneLogin app.
X509 Signing Certificate The certificate you downloaded from Onelogin. You will need to upload the certificate directly to Secret Chest.
3. Click SAVE to proceed.
4. In the next window, you'll be provided two options.
A. If you are a domain administrator, you can click Continue for additional instructions on SAML Identity Provider Configuration.
B. If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.
To finish the configuration of the SAML application, the admin will need the following information regarding Secret Chest:
SAML Consumer URL: https://saml.secretchest.io/login/callback
SAML Audience: urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME
Also copy the values of the post-back URL and the Entity ID before heading back to the Configuration tab of your OneLogin app. Provide a valid regular expression for the ACS (Consumer) URL Validator. For example:
[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
Test connection
1. Be sure that you have a OneLogin user that you can use for testing. If not, go to the Users tab on the OneLogin dashboard and add one
2. Be sure that your new SAML connection has been associated with an application (otherwise you will get an invalid_request: the connection was disabled error). Next to your SAML connection, click the Try button. If all goes well, you will be redirected to a page informing you that the connection works.
Comments