Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Page Contents:
Table of Contents | ||
---|---|---|
|
Overview
Regardless of your specific IdP, there are four high-level parts in the process of setting up SAML/SSO for ZenGRC, and this documentation is organized accordingly:
Part 1: Gathering ZenGRC Service Provider Details - “Service Provider” refers to any application (i.e. ZenGRC) that requests authentication from a central “Identity Provider”, or “IdP”. This section provides instructions for accessing information in ZenGRC that your IdP will use to identify ZenGRC as a trusted service provider. This part of the process must be performed by a ZenGRC Administrator.
Part 2: Entering ZenGRC Service Provider Details into Your IdP and Gathering IdP Details for your ZenGRC Admin - This section provides instructions for entering information about ZenGRC, obtained in the previous step, into your organization’s IdP. This step must be performed by a user with administrative access to your organization’s IdP platform (or more specifically, a user with permission to create and manage “service provider” applications in your IdP platform). This part of the process results in the generation of additional artifacts that your IdP administrator will then need to share with your ZenGRC administrator, who will use that information to apply further changes in ZenGRC.
Part 3: Entering IdP Details into ZenGRC - In order to finalize the “handshake” between ZenGRC and your IdP, a ZenGRC administrator must enter the information generated by your IdP administrator into ZenGRC.
Part 4: Enabling the SAML/SSO Login Option for ZenGRC End Users - The last step is turning on the SAML/SSO login option for ZenGRC users and determining which other login options you want to expose.
Part 1: Gathering ZenGRC Service Provider Details for your IdP Admin
To gather the information that your IdP administrator will need in order to add ZenGRC as a trusted service provider in your IdP platform, complete the following steps. These steps are the same for all IdPs except where otherwise noted. You’ll need to have administrator access to ZenGRC to complete this section.
If there are multiple options for logging into your ZenGRC instance, make sure to select Sign in with Email.
In the left-hand navigation, click Settings | Authentication.
If you are setting up SAML for the first time, the SAML checkbox will be unchecked. Do not select it until you've gone through all steps in this tutorial.
Note: The Debug Mode toggle in the screenshot above will display helpful debug information on failed attempts to log into ZenGRC via SSO. It should be enabled only when troubleshooting issues with your SAML/SSO configuration.Click Edit Settings.
All IdPs require certain metadata about the service provider application, and depending on the specific IdP there are three possible ways to provide that metadata. If you aren’t sure which method your organization’s IdP supports, then complete the steps for all three options and include all of the resulting artifacts in the package you provide to your IdP administrator.
Option 1 - Metadata URL: If your organization’s IdP supports it, the easiest way for your IdP administrator to add the ZenGRC metadata to the IdP is by providing a metadata URL. To generate this URL, click Download ZenGRC Metadata (SP). A new browser tab will open with the metadata displayed in XML format. Copy the URL from your browser’s address field and paste it into a text file. Add the text file to the artifacts you are gathering for your IdP administrator.
Option 2 - Metadata File: The next easiest option is to add the metadata to the IdP via file upload. To generate the formatted metadata file for your IdP administrator, click Download ZenGRC Metadata (SP). A new browser tab will open with the metadata displayed in XML format. Find your web browser’s “Save As” dialogue and save the web page as an XML file by adding “.xml” to the end of the filename.
Option 3 - Copy-and-Paste the Metadata: If your organization’s IdP accepts neither of the above methods, then create a blank text file and copy each of the URLs in the above screenshot into the text file. You can quickly copy the values by clicking the Copy button to the right of each one. However, be sure to also add the field labels so that your IdP administrator knows which URL value goes where in the IdP platform.
In order to validate the authenticity of authentication requests that claim to be coming from a trusted service provider, IdPs compare those requests against an encrypted certificate from the service provider application. ZenGRC provides this certificate in the metadata collected above, however, some IdPs (e.g. Okta) require that this encrypted service provide certificate be uploaded into the IdP separately from the metadata. If you aren’t sure whether your organization’s IdP requires that the certificate be uploaded separately, go ahead and download it now and include it with the artifacts that you're gathering for your IdP administrator. Your IdP administrator will know whether it’s required, and if it turns out that it is, you’ll have saved yourself a step by downloading it right now.
At this point, you should have only one certificate available in ZenGRC. To download the certificate, click the ellipsis to the right of the certificate and select Download.
Click the Advanced Settings tab and take a screenshot of ZenGRC’s default SAML advanced settings. These settings default to the most common values, but your IdP administrator might ask you to modify them after reviewing them. It’s recommended you take this screenshot directly from your ZenGRC instance rather than from this documentation:
Collect everything you’ve generated in the prior steps and provide it to your IdP administrator along with a link to these setup instructions. This package should now include:
ZenGRC certificate (if you think it might be required by your IdP)
ZenGRC metadata (in the form of a metadata URL, the downloaded metadata XML file, and/or a text file you created manually by copying/pasting)
Screenshot of Advanced Settings
Part 2: Entering ZenGRC Service Provider Details into Your IdP and Gathering IdP Details for your ZenGRC Admin
This section provides instructions for entering the service provider information that your ZenGRC administrator collected from ZenGRC into your organization's IdP. In order to perform this part of the setup process, you must have administrative access to your organization's IdP.
Before completing these steps, ensure that the ZenGRC administrator has provided you with the following artifacts:
ZenGRC’s encrypted service provider certificate (if your IdP platform requires one)
ZenGRC metadata (depending on your IdP, this might be in the form of a metadata URL, a formatted XML file to upload to your IdP, or a text file with metadata values that you can copy-and-paste into your IdP)
A screenshot of ZenGRC’s SAML advanced settings for you to review and communicate any required changes back to the ZenGRC administrator
The process of entering service provider details into the IdP platform varies depending on the specific IdP your organization is using, so expand the appropriate section for your organization's specific IdP below:
Expand | ||
---|---|---|
| ||
Configuring Okta
|
Expand | ||
---|---|---|
| ||
Configuring Onelogin
|
Expand | ||
---|---|---|
| ||
Configuring Azure AD
|
Expand | ||
---|---|---|
| ||
Configuring ADFS
|
Expand | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||
General Guidance for Configuring Unlisted IdPsThis section provides general information that you and your ZenGRC administrator can use to enter ZenGRC service provider details into an IdP that has not been covered explicitly in this documentation.
3. Create two custom parameters for the ZenGRC application as follows:
6. ZenGRC requires a certificate from your IdP. For some IdPs (e.g. Okta), IdP certificate information is provided as part of the IdP metadata URL. In other cases, you may need to export a certificate explicitly from the IdP and ask the ZenGRC administrator to upload that IdP certificate into ZenGRC. 5. Provide the IdP metadata, the IdP certificate (if not included in the metadata), and any required modifications to ZenGRC’s SAML 2.0 advanced settings to your ZenGRC administrator. |
Part 3: Entering IdP Details Back into ZenGRC
In this section of the setup process, you will finalize the “handshake” between ZenGRC and your IdP by entering the information generated by your IdP back into ZenGRC. This process must be completed by a ZenGRC administrator, and that ZenGRC administrator must have access to the artifacts generated by your IdP administrator in the prior section. These artifacts should include:
IdP metadata
Any required changes that your IdP requested you make on the Advanced Settings tab in ZenGRC’s SAML 2.0 setup screen
This process of entering IdP details into ZenGRC varies depending on the specific IdP your organization is using, so expand the appropriate section for your specific IdP below:
Expand | ||
---|---|---|
| ||
Entering from OktaAfter securing the Okta metadata link from your Okta administrator, complete the following steps in ZenGRC:
|
Expand | ||
---|---|---|
| ||
Entering from OneloginAfter securing the Onelogin metadata file from your Onelogin administrator, complete the following steps in ZenGRC:
|
Expand | ||
---|---|---|
| ||
After securing the Azure AD metadata file from your Azure AD administrator, complete the following steps in ZenGRC:
|
Expand | ||
---|---|---|
| ||
Entering from ADFS
|
Expand | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||
General Guidance for Unlisted IdPsIf you do not see instructions for your specific IdP, this section provides general information that you and your IdP administrator can use to enter IdP details into ZenGRC. The following are examples that ZenGRC might need from your organization’s IdP, along with the different names the fields may be called in your IdP:
Be sure to also review ZenGRC’s SAML 2.0 Advanced Settings tab with your IDP administrator. |
Test
Part 4: Enabling the SAML 2.0/SSO Login Option for ZenGRC End Users
In this final section of the setup process, you’ll enable the SAML 2.0/SSO option, test that you are able to log in using SAML 2.0 / SSO, and then turn off unwanted authentication options.
If you aren't already there, navigate to Settings | Authentication and select Edit Settings
Select the SAML 2.0 checkbox and enable the Debug mode toggle.
NOTE: ZenGRC will prevent you from disabling other authentication options until you've successfully logged in using SAML 2.0 / SSO.
Log out of ZenGRC.
On the ZenGRC log in page, select Sign in with SSO.
NOTE: If there are issues with the settings, and you have the Debug mode toggle on, they should display here.
Access Settings | Authentication.
Deselect any unwanted authentication methods.
Deselect the Debug Mode checkbox