Identity Providers Settings
  • 8 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Identity Providers Settings

  • Print
  • Share
  • Dark
    Light

An Axonius admin user can enable login based on a broad range of supported identity access management providers. These identity providers can handle authentication and authorization utilizing existing credentials of your organization to a Single Sign On solution (SSO). All are disabled by default.

Once enabled and configured, a designated login button will appear in the Axonius login page, for example:

image.png

Axonius supports the following identity providers:

  • LDAP
  • SAML Based

To enable the desired identify provider and configure its credentials, Open the Identity Providers Settings.
From the top right corner of all pages, click image.png . The System Settings page opens. Then click the Identity Providers Settings tab.

LDAP Login Settings

Enables login from existing domain controller using LDAP protocol.

To enable LDAP logins, under the LDAP Login Settings section, switch on the Allow LDAP Logins toggle switch.

image.png

Once switched on, you need to define the credentials for the Domain controller with the following configuration:

  1. The host domain controller IP or DNS (required) - The IP or host of the Domain Controller of Microsoft Active Directory (AD) which will verify the credentials.
  2. A group the user must be part of (optional, default: empty) - The name of the group or a nested group in which the logged on user must be part of.
  3. Match group name by DN (required) - Choose whether to authenticate user logins by the user exact group Distinguished Name (DN).
    • If enabled, the user group Distinguished Name (DN) must match (case sensitive) the value defined in the A Group the User Must be Part of field.
    • If disabled, the user group/nested group value defined in the A Group the User Must be Part of field.
    • The default value of this setting is False.
  4. Default domain to present to the user (optional) - The default domain for which the user is logged in (for example, if the value is "CORPNET" and the user will be logging as "user" then Axonius will try log into the DC with "CORPNET\user").
  5. LDAP group hierarchy cache refresh rate (hours) (required, default: 720) - Configure the login cache refresh rate and when changes will be reflected in Axonius.
    • Changes in the group hierarchy (groups added/remove/moved) will be reflected in Axonius only in the next login cache recalculation. Added/remove users from/to specific groups will be reflected in Axonius immediately and is independent on the next login cache recalculation.
    • A low number means that login may be slower, as the login cache will be calculated more frequently, but it will be more accurate.
    • A high number means that login may be faster, as the login cache will be calculated less frequently, but it may be less accurate.
    • The default value for this setting is 720 hours (one month).
  6. Use SSL for connection (optional) - The type of communication. Can be either:
    1. Unencrypted
    2. Unverified (Encrypted but unverified)
    3. Verified (Encrypted and verified)
  7. CA file (optional) - The host will be verified using this CA. Relevant when the connection is verified.
  8. Certificate file and Private key file (Optional) - SSL configuration for creating a remote connection.

Role Assignment Settings

  1. Evaluate role assignment on (required, default: New users only) - Select whether to evaluate role assignment for new users or for new and existing users.
    • If New users only is selected, role assignment will be evaluated only for new users. The role for existing Axonius will not be re-evaluated and will remains as is.
    • If New and existing users is selected, role assignment will be evaluated for new users and also for existing users on every login.
  2. Default role for new LDAP user (if no matching assignment rule found) (Required, default: No Access) - The default role that will be associated with new LDAP users. For details on managing user roles in Axonius, see Manage Roles.
  3. Role Assignment Rules (users will be assigned to the first matching role) (optional, default: empty) - Configure a ranked list of rules to determine the user's role.
    • Each role consists of:
      • Category:
        • Email address - user email address, e.g. example@example.com
        • Email domain - an email domain, e.g. example.com
        • Group - a user group Common Name (CN). If the Match group name by DN checkbox is enabled, the group will refer to the user group Distinguished Name (DN). For example, for the LDAP group name: "CN=test-group-0,CN=Test Groups,DC=TestDomain,DC=test", the field value should be "test-group-0".
      • Value - case sensitive exact match.
      • Role - to be assigned.
    • To reorder the rules, hover over the rule to use the drag and drop functionality.
    • When a user logs in to Axonius with LDAP, the user's assigned role will be determined based on the Role Assignment Rules Logic.

image.png


SAML-Based Login Settings

Enables login from your existing enterprise identity provider, for example, Okta or Microsoft Active Directory (AD).

To enable SAML logins:

  1. Under the SAML-Based Login Settings section, switch on the Allow SAML-Based Logins toggle switch.

image.png

  1. Once switched on, define the credentials and SAML settings both in Axonius and in the requested identity provider.
    The following settings can be used to enable SAML authentication in your identity provider.

    • Automatically redirect all logins to the identity provider (required, default: False) - Select whether to automatically redirect all users to the configured SAML identify provider.
      • If enabled, any user that will try logging into Axonius will be automatically redirected to the configured SAML identify provider.
        • To access the Axonius login page without being redirected, use the following URL: https://[Axonius host name / IP address]/?redirect=false
      • If disabled, any user that will try logging into Axonius will need to manually click the 'Login with SAML' option to login with configured SAML identify provider.

    • Name of the identity provider (required) - If your identity provider supports metadata URL parsing, you can use the link to automatically fill in some details. If it doesn't, fill them manually in the Name of the identity provider field. Note that the name of the identity provider can be any string you would like; It is used only to identify the identity provider within Axonius.

    • Metadata URL (optional, default: empty) - A one-time URL that can be used in Axonius to fill in all the other details. If your identity provider supports this, then you can use this and skip putting all the other settings manually.

    • Axonius external URL (optional, default: empty) - An external URL from which Axonius is accessed. If the communication to Axonius is being proxied, then this should be the external domain, i.e. the proxy domain.

    • Single sign-on service URL (optional, default: empty) - A URL that is needed for the SAML Authentication.

    • Entity ID (optional, default: empty) - The ID of the Axonius entity in the identity provider.

    • Signing certificate (Base64 encoded) (optional, default: empty) - A base64-encoded signing certificate that is needed for the SAML protocol.

    • Do not send AuthnContextClassRef (required, default: False)
      • If enabled, the SAML AuthNRequest will not include the AuthnContextClassRef SAML attribute.
      • If disabled, the SAML AuthNRequest will include the AuthnContextClassRef SAML attribute:
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<</saml:AuthnContextClassRef>>|
  2. In the requested identity provider console, define the credentials and SAML settings. These settings in the identity provider will issue the below values that we can use to enable SAML authentication in Axonius:

Name Value Comment
Signing certificate (Base64 encoded) https://<axonius_hostname>/api/login/saml/metadata/ A one-shot URL for identity providers that support metadata URL parsing
Entity ID https://<axonius_hostname>/api/login/saml/metadata/
Reply URL https://<axonius_hostname>/api/login/saml/?acs Assertion Consumer Service URL
Sign on URL https://<axonius_hostname>/api/login/saml Optional. This is useful only if you want to allow identity-provider initiated authentication
  1. In addition, Axonius requires the following three attributes to be sent by the provider:
    • name - The ID of the user in that identity provider. For example, in Active Directory or Azure Active Directory, that would be the user principal name.
    • givenname - The given/first name of the user.
    • surname - The surname of the user.

Role Assignment Settings

  1. Evaluate role assignment on (required, default: New users only) - Select whether to evaluate role assignment for new users or for new and existing users.
    • If New users only is selected, role assignment will be evaluated only for new users. The role for existing Axonius will not be re-evaluated and will remains as is.
    • If New and existing users is selected, role assignment will be evaluated for new users and also for existing users on every login.
  2. Default role for new SAML user (if no matching assignment rule found) (Required, default: No Access) - The default role that will be associated with new SAML users. For details on managing user roles in Axonius, see Manage Roles.
  3. Role Assignment Rules (users will be assigned to the first matching role) (optional, default: empty) - Configure a ranked list of rules to determine the user's role.
    • Each role consists of key/value pairs (case sensitive exact match) and the role to be assigned.
    • To reorder the rules, hover over the rule to use the drag and drop functionality.
    • When a user logs in to Axonius with SAML, the user's assigned role will be determined based on the Role Assignment Rules Logic.

image.png


Role Assignment Rules Logic

When a new/existing user logs in to Axonius with LDAP/SAML, the user's assigned role will be determined based on the following logic:

# New / Existing User User’s Assigned Role Evaluate role assignment on Value Role Assignment Rules New User’s Assigned Role
1 New user N/A (logs in for the first time) Any value:
- New users only
- New and existing users
Either one of the following:
- No assignment rules configured
- Assignment rules configured, but no matching rule found
The value in the Default role for new LDAP user (if no matching assignment rule found) field or in the Default role for new SAML user (if no matching assignment rule found) field
2 New user N/A (logs in for the first time) Any value:
- New users only
- New and existing users
Assignment rules configured and a matching rule found Based on the first matching rule
3 Existing user Role X New users only or the Add Ignore role assignment rules checkbox, under the user settings is enabled N/A – assigment rules will not be evaluated Assigned role will remain as is (Role X)
4 Existing user Role X New and existing users Either one of the following:
- No assignment rules configured
- Assignment rules configured, but no matching rule found
Assigned role will remain as is (i.e. Role X)
5 Existing user Role X New and existing users Assignment rules configured and a matching rule found Based on the first matching rule
Was This Article Helpful?