Skip to main content

Cloud-delivered Advanced AnalyticsExabeam Advanced Analytics Administration Guide

Third-Party Identity Provider Configuration

Exabeam supports integration with SAML 2.0 compliant third-party identity providers (IdPs) for single sign-on (SSO), multi-factor authentication, and access control. Once an IdP is added to your product, you can make IdP authentication mandatory for users to log in to the product, or you can allow users to log in through either the IdP or local authentication.

Note

You can add multiple IdPs to your Exabeam product, but only one IdP can be enabled at a time.

Add Exabeam to Your SAML Identity Provider

This section provides instructions for adding Exabeam to your SAML 2.0 compliant identity provider (IdP). For detailed instructions, refer to your IdP's user guide.

General Instructions

The exact procedures for configuring IdPs to integrate with Exabeam vary between vendors, but the general tasks that need to be completed include the following (not necessarily in the same order):

  1. Begin the procedure to add a new application in your IdP for Exabeam (if needed, refer to your IdP's user guide for instructions).

  2. In the appropriate configuration fields, enter the Exabeam Entity ID and the Assertion Consumer Service (ACS) URL as shown in the following:

    Entity ID:

    https://<exabeam_primary_host>:443/api/auth/saml2/<identity_provider>/login

    ACS URL:

    https://<exabeam_primary_host>:443/api/auth/saml2/<identity_provider>/handle-assertion

    Important

    Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host. The only acceptable values for <identity_provider> are the following:

    • adfs

    • google

    • ping

    • okta

    • others

    If you are using Microsoft AD FS, Google IdP, Ping Identity, or Okta, enter the corresponding value from the preceding list. For all other IdPs, enter others. All of the values are case sensitive.

  3. In the attribute mapping section, enter descriptive values for the following IdP user attributes:

    • Email address

    • First name

    • Last name

    • Group

    • Username (this attribute is optional)

      Note

      The actual names of these user attributes may vary between the different IdPs, but each IdP should have the corresponding attributes.

    For example, if Primary email is the user email attribute in your IdP, you could enter EmailAddress as the descriptive value. The following is an example of a completed attribute map in Google IdP:

    Example-IdP-Attribute-Mapping.png

    Important

    When you Configure Exabeam for SAML Authentication, you need to use the same descriptive values to map the Exabeam query attributes with the corresponding IdP user attributes.

  4. Complete any additional steps in your IdP that are necessary to finish the configuration. Refer to your IdP user guide for details.

  5. Copy the IdP's connection details and download the IdP certificate or, if available, download the SAML metadata file.

    Note

    You need either the connection details and the IdP certificate or the SAML metadata file to complete the integration in Exabeam.

Google IdP

  1. From the main menu on the left, select Apps and then click Web and mobile apps.

  2. From the Add app drop-down menu, click Add custom SAML app.

    Google-Add-Custom-SAML-App.png

    The App Details section opens.

  3. In the App name field, enter a name.

  4. Under App icon, click the blue circle, navigate to an image file that can be used as an icon and click to upload it.

    Google-SAML-App-Details.png

  5. Click Continue.

    The Google Identity Provider Details section opens.

  6. Click Download IdP Metadata.

    Note

    The IdP metadata file needs to be uploaded to Exabeam when you Configure Exabeam for SAML Authentication.

  7. Click Continue.

    The Service Provider Details section opens.

  8. Enter the ACS URL and Entity ID as shown in the following:

    ACS URL:

    https://<exabeam_primary_host>:443/api/auth/saml2/google/handle-assertion

    Entity ID:

    https://<exabeam_primary_host>:443/api/auth/saml2/google/login

    Note

    Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host.

  9. Click Continue.

    The Attribute Mapping section opens.

  10. Click Add Mapping, and then from Select field drop-down menu, select Primary email.

  11. Repeat the previous step for each of the following attributes:

    • Primary email

    • First name

    • Last name

    • Group

  12. In the App attributes fields, enter descriptive values for the attributes.

    For example, for the Primary email attribute, you could enter EmailAddress for the descriptive value. The following is an example of a completed attribute map:

    Example-IdP-Attribute-Mapping.png

    Important

    When you Configure Exabeam for SAML Authentication, you need to use the same descriptive values to map the Exabeam query attributes with the corresponding IdP user attributes.

  13. Click Continue.

    The details page opens for your Exabeam app.

  14. In the User Access panel, click the Expand panel icon to begin assigning the appropriate organizational units and groups to your Exabeam app and manage its service status.

    SAML-Google-IdP-Details.png

    You are now ready to Configure Exabeam for SAML Authentication.

Azure AD

Note

The following instructions include procedural information for configuring both Azure AD and Exabeam to complete the IdP setup.

  1. Log in to Microsoft Azure and navigate to Enterprise Applications.

  2. Create an Exabeam enterprise application by doing the following:

    1. Click New application, and then click Create your own application.

      The Create your own application dialog box appears.

    2. In the What's the name of your app field, type a name for the app (for example, "Exabeam-SAML").

      Create-Your-Own-App-Dialog.png

    3. Select Integrate any other application you don't find in the gallery (Non-gallery).

    4. Click Create.

  3. On the Enterprise Application page, locate and click the application that you added in step 2.

  4. In the Manage section, click Single sign-on.

    Single-Sign-On.png

  5. Click the SAML tile.

    Single-Sign-On-Select.png

  6. In the Basic SAML Configuration box (1.png), click Edit, and then do the following:

    1. In the Identifier (Entity ID) field, enter the following: https://<exabeam_primary_host>:443/api/auth/saml2/others/login

      Note

      Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host.

    2. In the Reply URL (Assertion Consumer Service URL) field, enter the following: https://<exabeam_primary_host>:443/api/auth/saml2/others/handle-assertion

      Note

      Make sure that you replace <exabeam_primary_host> with the IP address or domain name of your primary host.

    3. Click Save.

  7. In the User Attributes & Claims box (2.png), click Edit, and then map the Azure objects to your Exabeam field attributes.

    1. Click the row for the user.mail claim.

      The Manage claim dialog box appears.

    2. In the Name field, type the name of the appropriate Exabeam field attribute.

      Manage-Claim-Dialog.png

    3. If needed, clear the value in the Namespace field to leave it empty.

    4. Click Save.

    5. Repeat steps a through d as needed for the following claims:

      • user.givenname

      • user.userprincipalname

      • user.surname

    6. Click Add a group claim.

      Add-A-Group-Claim.png

    7. In the Group Claims dialog box, select Groups assigned to the application.

    8. From the Source attribute drop-down list, select Group ID.

    9. In the Advanced Options section, select the checkbox for Customize the name of the group claim.

    10. In the Name (required) field, type Group.

      Group-Claims.png

    11. Click Save.

      The Group claim is added to the User Attributes & Claims box.

      User-Attributes-Claims-Group.png

  8. In the SAML Signing Certificate box (3.png), download the Federation Metadata XML certificate to upload to Exabeam.

    SAML-Signing-Certificate.png

  9. In Exabeam, navigate to Settings > User Management > Configure SAML, and then click Add Identity Provider.

    The New Identity Provider dialog box appears.

  10. From the SAML Provider drop-down list, select Custom/Generic IdP.

  11. Under SSO Configuration, select Upload the XML metadata filed provided by your IdP, and then choose the Federation Metadata XML file that was downloaded in step 8.

  12. In the Name of IdP field, type a name (for example, "Azure").

  13. In the Upload IdP logo field, click Choose File, and then select a PNG file of the logo that you want to use.

    Note

    The PNG logo file size cannot exceed 1 MB.

    Edit-Identity-Provider-Dialog.png

  14. In the Query Attributes section, enter the appropriate IdP attribute values for each field that you defined in step 7.

    Important

    The IdP attribute values must match the values that you defined in step 7.

    Exabeam Attributes with Idp Attribute as Email Address, Username, First Name, Last Name, Group for Query attribute.

  15. Click Save.

    Azure now appears as an identity provider in the Configure SAML tab of the User Management page, and a Group Mappings section also appears.

    Group-Mappings-Section.png

  16. To map a SAML group to Exabeam user roles, do the following:

    1. On the home page of Azure, click Groups.

      Azure-Home-Groups.png

    2. From the Object Id column, copy the ID for the Azure group that you want to map.

      Azure-Object-ID.png

    3. In Exabeam, on the Configure SAML tab of the User Management page, click Add Group.

      The Edit Group Mapping dialog box appears.

    4. From the Identity Provider drop-down menu, select Others.

    5. In the Group Name field, paste the object ID that you copied in step b.

      Edit-Group-Mapping.png

    6. Select the Exabeam User Roles that you want to assign to the group.

    7. Click Save.

    8. Repeat steps a through g for each Azure group that you want mapped to user roles.

  17. To verify that Azure has been successfully configured, log out of Exabeam and look for the Azure Active Directory option on the sign-on screen.

    Azure-AD-Confirm-Config.png

Configure Exabeam for SAML Authentication

Important

Before you begin this procedure, you need to Add Exabeam to Your SAML Identity Provider.

  1. Log in to your Exabeam product.

  2. Navigate to Settings A grey gear icon > Core > User Management > Configure SAML.

  3. Click Add Identity Provider.

    Add-Identity-Provider.png

  4. From the SAML Provider drop-down menu, select your IdP.

    Note

    If your IdP is not listed, select Custom/Generic IdP.

    SAML-Provider-Menu.png

  5. With the information that you collected in step 5 of Add Exabeam to Your SAML Identity Provider, do one of the following:

    • If you have an XML metadata file from your IdP, select Upload the XML metadata provided by your IdP, and then click Choose File to locate and upload the file from your computer.

    • If you do not have a metadata file, select Configure SSO manually and then do the following:

      1. Click Choose File to locate and upload the IdP certificate from your computer.

        Legacy-SAML-Manual-Config.png

      2. In the Single Sign-on URL field, enter the appropriate URL, and then select either HTTP POST or HTTP REDIRECT as needed from the drop-down menu.

      3. (Optional) In the Single Log-Out URL and Redirect to URL after Log-Out fields, enter the appropriate URLs.

  6. If you selected Custom/Generic IdP in the previous step, do the following:

    1. In the Name of IdP field, enter a name.

    2. Under Upload IdP Logo, click Choose File to locate and upload an IdP logo image in PNG format.

      Legacy-Generic-IdP-Fields.png

  7. (Optional) From the Authentication Method drop-down menu, select an authentication method.

    Note

    Leave the field blank to accept the IdP's default method.

  8. If you are using AD FS and want to enable encryption, click the Encryption Disabled toggle to enable it (the toggle turns blue when enabled), and then configure the following encryption options that apply to your environment:

    Legacy-ADFS-Encryption-Config.png

  9. In the Query Attributes table, map the Exabeam query attributes to the corresponding IdP user attributes by entering the same descriptive values that you did in Add Exabeam to Your SAML Identity Provider, as demonstrated in the following example:

    Exabeam Attributes with Idp Attribute as Email Address, Username, First Name, Last Name, Group for Query attribute.

  10. (Optional) If you are ready to enable the IdP, click the IdP Disabled toggle. When the IdP is enabled, the toggle turns blue.

    Note

    You can add multiple IdPs to your Exabeam product, but only one IdP can be enabled at a time.

    Legacy-IdP-Disabled-Toggle.png

  11. Click Save. Your identity provider now appears in the Identity Providers table.

    Identity providers list with Name and Status and ADD NEW option.

  12. To complete the configuration, you need to map your SAML groups to Exabeam user roles. For instructions, see Map SAML Groups to Exabeam User Roles.

Map SAML Groups to Exabeam User Roles

After adding a third-party identity provider (IdP) to your Exabeam product, you need to map the IdP user groups to the appropriate user roles in Exabeam. For example, if in your IdP you have an "Advanced Analyst" user group that needs the permissions included in the Tier 3 Analyst (Advanced Analytics) role, you can map the group to that role. Each group can be mapped to one or more roles as needed.

  1. Navigate to Settings A grey gear icon >Core >User Management > Configure SAML.

  2. In the Group Mappings section (which appears below the Identity Providers table), click Add Group.

    On-Prem-SAML-Add-Group.png

    The New Group Mapping dialog box appears.

  3. From the Identity Provider drop-down menu, select the IdP that you want to map.

    Legacy-New-Group-Mapping-Dialog.png

  4. In the Group Name/ID field, enter the group name or ID as it is listed in the IdP.

    Important

    Group names are case sensitive.

  5. In the Exabeam User Roles list, select the checkboxes for the role(s) that you want to assign to the group.

  6. Click Save.

Manage SAML Login Status

You can make authentication through your selected identity provider (IdP) mandatory for users to log in, or you can allow users to log in through either the IdP or local authentication. You can also disable your selected IdP so that users can only log in through local authentication.

  1. Navigate to Settings A grey gear icon > Core > User Management > Configure SAML.

  2. In the SAML Status box, select a login status for your IdP.

    Legacy-SAML-Status-Box.png

  3. Click Save.

Enable or Disable Identity Providers

Note

You can add multiple identity providers (IdPs) to your Exabeam product, but only one IdP can be enabled at a time.

  1. Navigate to Settings > Core > User Management > Configure SAML.

  2. Move your pointer over the IdP that you want to enable or disable, and click the edit icon.

    Legacy-IdP-Edit-Icon1.png

    The Edit Identity Provider dialog box opens.

  3. Click the IdP Enabled/Disabled toggle to enable or disable the IdP as needed.

    The toggle is blue when the IdP is enabled and gray when it is disabled.

    Legacy-IdP-Enable-Switch.png