SAML 2.0 / SSO Initial Setup Instructions [archived]

Overview


Regardless of your specific IdP, there are four high-level parts to the process of setting up SAML/SSO for ZenGRC, and this documentation is organized accordingly:

  • Part 1: Gathering ZenGRC Service Provider Details - “Service Provider” refers to any application (i.e. ZenGRC) that requests authentication from a central “Identity Provider”, or “IdP”. This section provides instructions for accessing information in ZenGRC that your IdP will use to identify ZenGRC as a trusted service provider. This part of the process must be performed by a ZenGRC Administrator. (Note: Some IdPs, such as ADFS, use the term “Relying Party” in place of “Service Provider”)

  • Part 2: Entering ZenGRC Service Provider Details into Your IdP and Gathering IdP Details for your ZenGRC Admin - This section provides instructions for entering information about ZenGRC, obtained in the previous step, into your organization’s IdP. This step must be performed by a user with administrative access to your organization’s IdP platform (or more specifically, a user with permission to create and manage “service provider” applications in your IdP platform). This part of the process results in the generation of additional artifacts that your IdP administrator will then need to share with your ZenGRC administrator, who will use that information to apply further changes in ZenGRC.

  • Part 3: Entering IdP Details into ZenGRC - In order to finalize the “handshake” between ZenGRC and your IdP, a ZenGRC administrator must enter the information generated by your IdP administrator into ZenGRC.

  • Part 4: Enabling the SSO Login Option for ZenGRC End Users - The last step is turning on the SAML/SSO login option for ZenGRC users and determining which other login options you want to expose.

Part 1: Gathering ZenGRC Service Provider Details for your IdP Admin


To gather the information that your IdP administrator will need in order to add ZenGRC as a trusted service provider in your IdP platform, complete the following steps. These steps are the same for all IdPs except where otherwise noted. You’ll need to have administrator access to ZenGRC to complete this section.

  1. If there are multiple options for logging into your ZenGRC instance, make sure to select Sign in with Email.

     

  2. In the left-hand navigation, click Settings | Authentication.

     

  3. If you are setting up SAML for the first time, the SAML checkbox will be unchecked. Do not select it until you've gone through all steps in this tutorial.


    Note: The Debug Mode toggle in the screenshot above will display helpful debug information on failed attempts to log into ZenGRC via SSO. It should be enabled only when troubleshooting issues with your SAML/SSO configuration.

  4. Click Edit Settings (or, if you're setting up SAML for the very first time in ZenGRC, this button may say Configure instead of Edit Settings).

  5. All IdPs require certain metadata about the service provider application, and depending on the specific IdP there are three possible ways to provide that metadata. If you aren’t sure which method your organization’s IdP supports, then complete the steps for all three options and include all of the resulting artifacts in the package you provide to your IdP administrator.

    1. Option 1 - Metadata URL: If your organization’s IdP supports it, the easiest way for your IdP administrator to add the ZenGRC metadata to the IdP is by providing a metadata URL. To generate this URL, click Download ZenGRC Metadata (SP). A new browser tab will open with the metadata displayed in XML format. Copy the URL from your browser’s address field and paste it into a text file. Add the text file to the artifacts you are gathering for your IdP administrator.

       

    2. Option 2 - Metadata File: The next easiest option is to add the metadata to the IdP via file upload. To generate the formatted metadata file for your IdP administrator, click Download ZenGRC Metadata (SP). A new browser tab will open with the metadata displayed in XML format. Find your web browser’s “Save As” dialogue and save the web page as an XML file by adding “.xml” to the end of the filename.

    3. Option 3 - Copy-and-Paste the Metadata: If your organization’s IdP accepts neither of the above methods, then create a blank text file and copy each of the URLs in the above screenshot into the text file. You can quickly copy the values by clicking the Copy button to the right of each one. However, be sure to also add the field labels so that your IdP administrator knows which URL value goes where in the IdP platform.
       

  6. In order to validate the authenticity of authentication requests that claim to be coming from a trusted service provider, IdPs compare those requests against an encrypted certificate from the service provider application. ZenGRC provides this certificate in the metadata collected above, however, some IdPs (e.g. Okta) require that this encrypted service provide certificate be uploaded into the IdP separately from the metadata. If you aren’t sure whether your organization’s IdP requires that the certificate be uploaded separately, go ahead and download it now and include it with the artifacts that you're gathering for your IdP administrator. Your IdP administrator will know whether it’s required, and if it turns out that it is, you’ll have saved yourself a step by downloading it right now.

    At this point, you should have only one certificate available in ZenGRC. To download the certificate, click the ellipsis to the right of the certificate and select Download.

     

  7. Click the Advanced Settings tab and take a screenshot of ZenGRC’s default SAML advanced settings. These settings default to the most common values, but your IdP administrator might ask you to modify them after reviewing them. It’s recommended you take this screenshot directly from your ZenGRC instance rather than from this documentation:

     

  8. Collect everything you’ve generated in the prior steps and provide it to your IdP administrator along with a link to these setup instructions. This package should now include:

    1. ZenGRC metadata (in the form of a metadata URL, the downloaded metadata XML file, and/or a text file you created manually by copying/pasting)

    2. ZenGRC certificate (if you think it might be required by your IdP)

    3. Screenshot of Advanced Settings

Part 2: Entering ZenGRC Service Provider Details into Your IdP and Gathering IdP Details for your ZenGRC Admin


This section provides instructions for entering the service provider information that your ZenGRC administrator collected from ZenGRC into your organization's IdP. In order to perform this part of the setup process, you must have administrative access to your organization's IdP.

Before completing these steps, ensure that the ZenGRC administrator has provided you with the following artifacts:

  1. ZenGRC metadata (depending on your IdP, this might be in the form of a metadata URL, a formatted XML file to upload to your IdP, or a text file with metadata values that you can copy-and-paste into your IdP)

  2. ZenGRC’s encrypted service provider certificate (if your IdP platform requires you to upload it separately from the metadata artifacts above)

  3. A screenshot of ZenGRC’s SAML advanced settings for you to review and communicate any required changes back to the ZenGRC administrator

The process of entering service provider details into the IdP platform varies depending on the specific IdP your organization is using, so expand the appropriate section for your organization's specific IdP below:

Configuring Okta

  1. Sign in to Okta as an administrator.

  2. Click Developer Console in the top-left corner of Okta and select Classic UI.

     

  3. Follow the Okta documentation to Set up a SAML application in Okta until you arrive at the following screen:

     

  4. Enter the service provider metadata collected from ZenGRC into Okta.

    1. If you happen to have administrative access to both Okta and ZenGRC, then you can copy-and-paste the values directly from ZenGRC into Okta as shown below.

    2. If you are an Okta administrator but do not have administrative access to ZenGRC, then copy-and-paste these settings from the text file provided to you by the ZenGRC administrator:

       

  5. Click Show Advanced Settings in Okta. (The screenshot below displays this and the following two steps).

  6. Next to Enable Single Logout, select the checkbox beside Allow application to initiate Single Logout.

  7. In the Single Logout URL text box, paste the value from ZenGRC Single Logout URL. The string will end with "single_logout_service."

     

  8. In the SP Issuer field, paste the value again from ZenGRC Entitly ID. The string will end with "metadata."

  9. Click Browse next to Signature Certificate and select the certificate that your ZenGRC administrator should have provided.

  10. Click Upload Certificate.

  11. Under Attribute Statements, create two custom parameters as follows:

    • Add email to the Name field with a value of user.email.

    • Add nickname to the Name field with a value of user.firstName.

  12. Continue clicking through the Okta set up until finished.

    IMPORTANT: Make certain to add users or user groups determined by your organization, or the connection will fail.

     

  13. Once complete, Okta displays a page where you can view set up. Right-click on the Identity Provider Metadata link and select Copy Link Address. This link will need to be entered into ZenGRC, so be sure to save it so that you can provide it to your ZenGRC administrator)

    IMPORTANT: If Okta is configured for users to utilize an actual user account and not an email address to log into the network applications, the flag for the Application username format under Credentials Details will need to be updated to email. By selecting edit for the Settings, scroll down to the field labeled Application username format and select email from the dropdown menu (Okta defaults to username). Click Save.

  14. Review the screenshot of ZenGRC’s SAML 2.0 advanced settings that your ZenGRC administrator provided and make sure to provide any required changes to your ZenGRC administrator along with the IdP metadata URL you copied in the prior step.

    NOTE: The IdP metadata URL includes IdP certificate information, so there is no need to provide Okta’s IdP certificate separately to the ZenGRC administrator.

Configuring Onelogin

  1. Sign in to Onelogin as an administrator

  2. If you aren't already there, navigate to Adminstration.

  3. Click Application in the top menu and then click the Add Application button

     

  4. Type SAML into the search field to filter the list of applications, and then select the application called . If you don’t see this application in your Onelogin instance, you can select any application from the list (these are just templates that we’re going to modify anyway)

     

  5. Replace the value in DisplayName with the whatever name you plan to use for ZenGRC (“ZenGRC,” “ZenGRC Prod,” etc.)

  6. Click Save

  7. From the left-hand-side navigation, click Configuration. This is where we’ll enter the service provider URLs from ZenGRC (or, if you don’t have administrative access to ZenGRC, then a ZenGRC administrator should have provided these URLs to you in a text file)

    NOTE: Leave the ACS URL Validator filed blank

     

  8. From the left-hand-side navigation, click Parameters. Click the + icon to add a new parameter.

  9. Under Field Name, type nickname and select Include in SAML assertion. Click Save.

     

  10. In the resulting drop-down, select First Name and click Save

     

  11. To obtain the IdP metadata, click the More Actions drop-down, and select SAML Metadata. You’ll need to provide this file to your ZenGRC administrator so they can upload it into ZenGRC’s SAML 2.0 settings in the next part of the setup process.

     

  12. Click Users and add the ZenGRC administrator (and any other users you want to add at this time)

     

  13. Review the screenshot of ZenGRC’s SAML 2.0 advanced settings that your ZenGRC administrator provided and make sure to provide any required changes to your ZenGRC administrator along with the IdP metadata file you downloaded above.

Configuring Azure AD

  1. Sign in to Microsoft Azure as an administrator and navigate to the Azure Active Directory service console. It may be available immediately on your Azure landing page, or you might have to navigate to it by first clicking More Services.

     

  2. From the left-hand-side navigation menu in the Active Directory console, click Enterprise Applications. It may take several minutes for this screen to load.

     

  3. Click New Application

     

  4. Select Non-gallery application

     

  5. Give the application name (e.g. “ZenGRC”, “ZenGRC Prod”, etc.), and click Add

    NOTE: In some cases, Azure AD may hang after adding the new application. If so, simply navigate back through to the Enterprise Applications list and select the newly created application from the list before continuing to the next step.

  6. Click the Set up single sign-on tile



  7. Click the SAML tile.

     

  8. Next, we’ll enter the service provider metadata from ZenGRC. Click the pencil icon in the top-right corner of the panel titled Basic SAML Configuration

     

  9. Enter the service provide fields from ZenGRC as follows. If you have administrator access to ZenGRC then you can copy-and-paste the URLs directly as per the screenshot. Otherwise, your ZenGRC admintrator should have provided a text file with the required URL values.

  10. Click Save.

    NOTE: Ignore any prompts that might appear in Azure AD asking you if you'd like to test the application

  11. Next, we’ll configure the required user attributes. Click the pencil icon in the top-right corner of the title titled User Attributes & Claims

     

  12. Delete all four of the pre-configured

  13. attributes under the Additinal claims section

     

  14. Click Add new claim

     

  15. Enter nickname in the Name field, select user.displayname from the Source attribute drop-down, and click Save

     

  16. Return to the User Attributes & Claims screen, and now we’re going to modify the existing Unique User Identifier claim. To edit it, click the row as highlighted in the screenshot (it doesn’t look clickable, but it is)

     

  17. Modify the existing selectiion in the Source attribute dop-down to user.mail, then click Save.

     

  18. Next, you’ll obtain the IdP metadata URL, which you’ll need to share with the ZenGRC adminstrator so they can enter it back into ZenGRC’s SAML 2.0 settings. To obtain the URL, navigate back to the Single sign-on setup screen, and in the section titled SAML Signing Certificate, copy the App Federation Metadata URL by clicking the copy button. Paste this URL into a text file that you will share with the ZenGRC administrator.

     

  19. Assign at least one user, the ZenGRC administrator, to the application. This will ensure that they can test the SSO connection once they completed the setup. To add the user, click Users and Groups in the left-hand-side menu and the desired user(s).

     

  20. Share the metadata URL you collected above with ZenGRC administrator, who will complete the configuration in ZenGRC.

Configuring ADFS

  1. Log into your WIndows server as an administrator.

     

  2. Click the Windows button, then click Server Manager

     

  3. From the top menu of the Server Manager dashboard, click Tools and select AD FS Management



  4. From the left-hand side directory tree, click Relying Party Trusts

     

  5. Click Add Relying Party Trust

     

  6. Leave the default selection of Claims Aware and click Start

     

  7. In the next screen, you’ll upload the ZenGRC metadata XML file provided by your ZenGRC administrator. You’ll need to have this XML file available on the local server where you’re configuring ADFS.

    To upload the file, select the radio button for Import data about the relying party from a file, browse to the metadata XML file, and click Next

     

  8. Enter the name you’d like to use for the ZenGRC relying party application in the Display Name field and click Next

     

  9. In the next screen, leave the default selection for Permit everyone, and click Next

     

  10. In the next screen, you may optionally review the details under each tab or simply click Next

     

  11. In the final screen of the wizard, leave the Configure claims issuance policy for this application checkbox selected, and click Close.

     

  12. A new window titled Edit Claim Issuance Policy should open automatically. Note that it might open behind the current AD FS setup window. If you can’t find it, then click Edit Claim Issuance Policy… form the right-hand-side menu in the AD FS setup window. Once you have the window in view, click Add Rule…

     

  13. In the next screen, leave the default selection for Claim rule template, and click Next

     

  14. Name the rule whatever you like (e.g. “ZenGRC Required Attributes”).

     

  15. Create two LDAP mappings as per the following screenshot. In the Attribute Store drop-down, select Active Directory, then click Finish.

     

  16. Click OK

     

  17. Next, you’ll construct the ADFS IdP metadata URL to provide back to your ZenGRC administrator. The URL is comprised of your Active Directory’s hostname URL plus a federation metadata endpoint that we’ll obtain from ADFS. Starting with the endpoint, expand the Service folder from the left-hand side directory tree and click Endpoints. Scroll all the way to the bottom of the list of endpoints to the section titled Metadata. Locate the federation metadata URL. It should be similar to the highlighted URL in the following screenshot:

    Note: Unfortunately you cannot copy this value from ADFS, so you’ll need to actually type it into a text file that you’ll share with your ZenGRC administrator. When combined with the Active Directory host URL, the resulting URL string should look similar to the following: https://ad2016.corp.zengrc.net/FederationMetadata/2007-06/FederationMetadata.xml

  18. Review the screenshot of ZenGRC’s SAML 2.0 advanced settings that your ZenGRC administrator provided and make sure to provide any required changes to your ZenGRC administrator along with the ADFS IdP metadata URL you generated in the prior step. Note also that Part 4 of these instructions will already instruct the ZenGRC administrator to set Want Name ID to true.

    NOTE: The IdP metadata URL includes IdP certificate information, so there is no need to provide ADFS’s IdP certificate separately to the ZenGRC administrator.

General Guidance for Configuring Unlisted IdPs

This section provides general information that you and your ZenGRC administrator can use to enter ZenGRC service provider details into an IdP that has not been covered explicitly in this documentation.

  1. If your IdP requires a certificate from the service provider, upload the one provided to you by the ZenGRC administrator.

  2. Next, you’ll need to enter service provider metadata into the IdP. Depending on the IdP, this metadata can be provided by:

    1. Entering into your IdP the metadata URL that your ZenGRC should have provided from ZenGRC

    2. Uploading the formatted metadata XML file provided by your ZenGRC administrator

    3. Copying-and-pasting the metadata values that your ZenGRC provided you in the form of an unformatted text file. If you’re going this route, it;'s important to note that metadata setting names vary among IdP providers, which can cause confusion as to what information should be entered where. The following are examples of metadata values along with some of the common names that IdPs use to refer to them:

Sample Setting Value

Common Names that IdPs use to refer to the Setting

Notes

https://[yourdomain].zengrc.com/saml/metadata

  • Audience

  • Audience URL (SP Entity ID)

 

https://[yourdomain].zengrc.com/saml/assertion_consumer_service/

  • Recipient

  • ACS (Consumer)

  • URL Validator

  • ACS (Consumer) URL

This same value might need to be entered into multiple fields in your IdP

https://[yourdomain].zengrc.com/saml/single_logout_service/ 

  • Single Logout URL

If your IdP provides an option for whether to allow single logout, enable the setting and enter this value for the single logout URL

3. Create two custom parameters for the ZenGRC application as follows:

4Parameter Name

Parameter Value

email

user.email

nickname

user.firstName


4. Review the screenshot that the ZenGRC administrator provided showing the default values for the SAML 2.0 Advanced Settings in ZenzGRC, and note any changes that need to be made either in the IdP or back in ZenGRC in order to match your organizations policies. Refer to the following descriptions of the advanced settings:

  • Enable encrypted nameID - Indicates that the nameID of the logout request sent by this SP will be encrypted.

  • Enable authentication request signed - Indicates whether the authorization request messages sent by this SP will be signed. (Metadata of the SP will offer this info.)

  • Enable single logout request - Indicates whether the logout request messages sent by this SP will be signed.

  • Enable logout response signed - Indicates whether the logout response messages sent by this SP will be signed.

  • Enable sign metadata - Sign the metadata false or true (use sp certs).

  • Want messages signed - Indicates a requirement for the response, logout request and logout response elements received by this SP to be signed.

  • Want assertions signed - Indicates a requirement for the assertion elements received by this SP to be signed. The Metadata of the SP will offer this info.

  • Want assertions encrypted - Indicates a requirement for the assertion elements received by this SP to be encrypted.

  • Want name Id - Indicates a requirement for the NameID element on the SAML 2.0 response received by this SP to be present.

  • Want attribute statement - Indicates a requirement for the attribute statement element.

  • Fail on authentication context mismatch - True validates the authentication context and False ignores the context.

6. ZenGRC requires a certificate from your IdP. For some IdPs (e.g. Okta), IdP certificate information is provided as part of the IdP metadata URL. In other cases, you may need to export a certificate explicitly from the IdP and ask the ZenGRC administrator to upload that IdP certificate into ZenGRC.

5. Provide the IdP metadata, the IdP certificate (if not included in the metadata), and any required modifications to ZenGRC’s SAML 2.0 advanced settings to your ZenGRC administrator.

Part 3: Entering IdP Details Back into ZenGRC


In this section of the setup process, you will finalize the “handshake” between ZenGRC and your IdP by entering the information generated by your IdP back into ZenGRC. This process must be completed by a ZenGRC administrator, and that ZenGRC administrator must have access to the artifacts generated by your IdP administrator in the prior section. These artifacts should include:

  • IdP metadata

  • Any required changes that your IdP requested you make on the Advanced Settings tab in ZenGRC’s SAML 2.0 setup screen

This process of entering IdP details into ZenGRC varies depending on the specific IdP your organization is using, so expand the appropriate section for your specific IdP below:

Part 4: Enabling the SSO Login Option for ZenGRC End-Users


In this final part of the setup process, you’ll enable the SSO login option, test that you’re able to log into ZenGRC using that option, and then disable other unwanted login options.

  1. If you aren't already there, navigate to Settings | Authentication and select Edit Settings

  2. Select the SAML 2.0 checkbox and enable the Debug mode toggle.

    NOTE: ZenGRC will prevent you from disabling other authentication options until you've successfully logged in using SAML 2.0 / SSO.

     

  3. Log out of ZenGRC.

  4. On the ZenGRC log in page, select Sign in with SSO.

    NOTE: If there are issues with the settings, and you have the Debug mode toggle on, they should display here.

  5. Access Settings | Authentication.

  6. Deselect any unwanted authentication methods.

  7. Deselect the Debug Mode checkbox

 

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com