SAML Support in Cisco Vulnerability Management for Single Sign On

Cisco Vulnerability Management support for SAML requires configuration on both the Cisco Vulnerability Management and customer side of the connection including the exchange of Issuer and Identity Provider information. For information on how SAML works, refer to SAML Explained in Plain English | OneLogin. Here is a basic SAML flow diagram from OneLogin:
Screen_Shot_2021-10-25_at_4.30.27_PM.png

Basic requirements of our implementation:

1. NameID is required as part of the SAMLReponse object.
2. The assertion must contain an email address. Attribute field names must be one of the following:
 
Email
email
Mail
mail
EmailAddress
EmailID
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http
://schemas.xmlsoap.org/ws/2005/05/identity/claims/email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/EmailAddress
This sometimes might need to be added as a custom attribute in your Identity Provider configuration.
Users are created in Cisco Vulnerability Management using the email address that corresponds with the SAML userid. An email message is sent to the user advising them that they have been added to the platform and can connect using their SAML credentials. 
 

Configuring your Identity Provider service

From your SAML provider, you will need to configure Cisco Vulnerability Management's "entity ID (sometimes referred to as "issuer"), which should be:

https://www.kennasecurity.com/sp

You will also need to send Cisco a copy of your public X.509 certificate, or the URL for your metadata.xml, that contains it.  Cisco uses that to generate a fingerprint to validate your SAML responses.

You will need to provide Cisco with your IdP SSO Target URL, which is the URL that Cisco will use to route your unauthenticated users to for authentication.

There will also be an "assertion consumer service (ACS) URL", which is where your SAML provider will post back to, which is:

https://YOUR_SUBDOMAIN.kennasecurity.com/auth/saml/UUID/callback
Note: Cisco Vulnerability Management will provide the value of UUID.
Once you've sent Cisco your X.509 cert and IdP SSO Target URL, Cisco can complete the fingerprinting and enable SAML on our side.  By default, Cisco only allows either password or SAML authentication, but not both.  Cisco support can help temporarily enable both authentication methods during your transition period.
 
Note: Cisco Vulnerability Management does not have an explicit metadata.xml, which some Identity Providers require when creating a new 3rd party service. If required, contact your Identity Provider support for assistance on generating a metadata.xml for use with Cisco Vulnerability Management. Also note that Cisco Vulnerability Management does not encrypt the assertion or sign the SAML request, however the traffic itself is still encrypted via https/tls.

Enabling SSO authentication on your Cisco Vulnerability Management account:

When SSO authentication is first enabled on your account, we'll keep your direct login form enabled, so that users can still access Cisco Vulnerability Management in the event they experience issues with the SSO connectivity. Once you're comfortable with your SSO authentication to Cisco Vulnerability Management, you can contact Cisco support to have the direct log in form disabled; this will require all Cisco Vulnerability Management users to log in via SSO.
 
Once SSO is enabled on your Cisco Vulnerability Management account, the following features will immediately be disabled (even while the direct login form is enabled):
  • New user password setup emails: new users will instead receive a notification that they have an account in Cisco Vulnerability Management, but will not be able to set a password (because SSO is enabled). For this reason, Cisco recommends you do not create new Cisco Vulnerability Management users until you have verified SSO is working as expected in your Cisco Vulnerability Management account
  • Password reset functionality: existing users will not be able to reset their password on the direct login forms. If this becomes an issue, please contact support.
Contact Support (or click here to submit a ticket through the Help Center) to retrieve your Client ID and to enable SAML for your account.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.