SSO for Administrators (SAML 2.0)

0
3
4

The OutThink Command Centre is a secure on-line portal for managing your end-users, training campaigns, attack simulations, and interacting with analytics results and reporting. Only named and trusted administrators should be granted the rights to access the application.

This article describes how to set up federation with your identity provider (IdP) supporting the SAML 2.0 protocol. When you set up the federation, new administrative users of the OutThink platform can use your own IdP-managed organizational account to sign in to the OutThink Command Centre.

1. Provide IdP Metadata to OutThink

Please supply your IdP’s XML metadata file to OutThink. Your IdP MUST support the HTTP-POST binding for the SingleSignOnService.

If you don’t have such a file, please supply the following values for your IdP:

  • entityID
  • SingleSignOnService location URL (HTTP-POST binding)
  • X509Certificate (public key of your signing certificate).

2. Determine list of domains to the federated

Provide OutThink with a full list of all domains to be federated via your Identity Provider.
For instance: example.com, auth.example.com, example-partner.net.

IMPORTANT: If the domains to be federated do not match the Identity Provider’s authentication domain, or a host within the domain, a DNS TXT record will need to be added to all such domains which point to the Identity Provider’s SingleSignOnService location URL. As an example:

example.com.  IN   TXT   DirectFedAuthUrl=https://auth-for-example.com/adfs

For more details, see Microsoft’s documentation at:
https://learn.microsoft.com/en-gb/entra/external-id/direct-federation#step-1-determine-if-the-partner-needs-to-update-their-dns-text-records

3. Configure your Identity Provider

The OutThink Platform is supported by Microsoft Entra ID, which acts as the SAML Service Provider (SP).

SAML SP entityID (Pre-Production) = Contact your OutThink Customer Success representative
SAML SP entityID (Production) = Contact your OutThink Customer Success representative
SAML SP AssertionConsumerService (ACS) = https://login.microsoftonline.com/login.srf

In the SAML response’s assertion:

  • The subject’s NameID SHOULD be in the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent format and SHOULD be set to the email address of the authenticated user.
  • The email address of the authenticated user MUST also be included as an emailaddress claim attribute (format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).

4. Notes

  • The POSTed authn request will be accompanied by a RelayState (to be echoed back in the POSTed response) and a UserName (the email address of the user to be authenticated by your IdP)
  • Even if your IdP’s metadata indicates that it wants signed authn requests, a current limitation of the Microsoft Entra ID SAML SP is that it doesn’t sign authn requests; this is why the public key of Microsoft’s signing certificate is not supplied in this document
  • IdP-initiated SSO is not supported.

Was this helpful?

3 / 4