1. F5 Distributed Cloud App Infrastructure Protection (AIP) Support
  2. User Guides
  3. Legacy Threat Stack Single Sign-On (SSO)

Configure SSO in Distributed Cloud AIP

Important

This page contains information for legacy Threat Stack customers who log into Distributed Cloud AIP using app.threatstack.com. If you log into Distributed Cloud AIP using F5 Distributed Cloud Services (F5XC), see User Management for information about configuring SSO in F5XC using Google, Azure, or Okta.

Single Sign-On (SSO) integrates a session token with a user authentication service. An SSO allows you to access multiple authorized applications without re-authenticating when switching between applications.

F5 Distributed Cloud App Infrastructure Protection (AIP) exclusively integrates with Security Assertion Markup Language (SAML) 2.0 SSO identity provider (IdP) services. Additionally, Distributed Cloud AIP only supports service provider (SP)-initiated generic SAML 2.0 integrations.

Tip

Not sure if your SSO is SP-initiated? If you visit a web application and are redirected to your IdP to sign in, then your SSO is SP-initiated.

Supported IdPs for SSO

Distributed Cloud AIP supports the following SAML 2.0 IdPs:

  • Google
  • JumpCloud
  • Okta
  • OneLogin

Note

If your SSO uses a SAML 2.0 IdP, but is not on the supported list, then Distributed Cloud AIP has not tested an integration with your IdP.

Configure SSO Integration with Distributed Cloud AIP

Prerequisites

  • Administrator access to your IdP
  • Owner access to the Distributed Cloud AIP console
Configure Google SSO Integration

Tip

User side-by-side browser windows – one for your Google Admin console and one for Distributed Cloud AIP – to complete these instructions.

  1. Log into your Google Admin console. The Home page displays.
  2. Log into Distributed Cloud AIP. The Dashboard page displays.
  3. Begin the Google integration with Distributed Cloud AIP.
    1. In the Google Admin console, in the left navigation menu, go to Apps > Web and Mobile apps.
      1.png
    2. Select Add app > Add custom SAML app. The App Details page displays.
      2.png
    3. In the App name field, type "Distributed Cloud AIP".
    4. Optionally, add a description in the Description field.
  4. Begin the Distributed Cloud AIP integration with Google.
    1. In Distributed Cloud AIP, in the left navigation pane, click Settings. The Settings page displays.
    2. Click the Authentication tab. The Authentication page displays.
    3. In the Single Sign-On section, from the Identity Provider drop-down menu, select Google SAML.
  5. Copy values from Google Admin into Distributed Cloud AIP.
    1. In the Google Admin console, copy the value in the Single Sign-On URL field.
    2. In Distributed Cloud AIP, in the Identity Provider SAML 2.0 URL field, paste the value copied in step 5a.
    3. In the Google Admin console, copy the value in the Entity ID field.
    4. In Distributed Cloud AIP, in the Identity Provider Issuer URL field, paste the value copied in step 5c.
  6. Upload the Google certificate to Distributed Cloud AIP.
    1. In the Google Admin console, download the X.509 Certificate.
    2. In Distributed Cloud AIP, click in the Upload your Public Certificate file field. Follow the prompts to upload the X.509 Certificate you downloaded in step 6a.
  7. Copy values from Distributed Cloud AIP into Google Admin.
    1. In Distributed Cloud AIP, copy the value in the SSO Assertion Consumer Service URL (ACS URL) field.
    2. In Google Admin, in the ACS URL field, paste the value copied in step 7a.
    3. In Google Admin, in the Start URL field, paste the value copied in step 7a.
    4. In Distributed Cloud AIP, copy the value in the Audience URI / SP Entity ID field.
    5. In Google Admin, in the Entity ID field, paste the value copied in step 7d.
    6. In Google Admin, do not check the Signed Response check box.
  8. On the same Google Admin page as step 7, define the naming format in the Name ID section.
    1. From the Name ID Format drop-down menu, select EMAIL.
    2. From the Name ID drop-down menu, select Basic Information > Primary email.
  9. No mapping values from Google to Distributed Cloud AIP are necessary. Click Continue.
  10. In the Google Admin console, click the Finish button. Google is now integrated with Distributed Cloud AIP for SSO.
  11. Turn on SSO for users within the Google Admin console.
    1. Go to Apps > Web and mobile apps.
    2. Select your SAML app.
    3. In the User Access section, click Off for everyone.
      Picture1.png
    4. Select On for everyone, then Save.
  12. Optionally, if you prefer to have SSO on for only a certain organizational unit, keep the setting at Off for everyone.
    1. To the left, select the organizational unit to change the service status.
    2. Select On, then Override, then Save.
  13. In Distributed Cloud AIP, click the Continue button. Distributed Cloud AIP is now integrated with Google for SSO.
Configure JumpCloud SSO Integration

Tip

User side-by-side browser windows – one for your JumpCloud Admin Console interface and one for Distributed Cloud AIP – to complete these instructions.

  1. Log into the JumpCloud Admin console. The Home page displays.
  2. Log into Distributed Cloud AIP. The Dashboard page displays.
  3. Begin the JumpCloud integration with Distributed Cloud AIP.
    1. Select Applications. The Applications screen displays.


      ApplicationButton.png

    2. Click the (+) button. The Configure New Application window opens.


      ApplicationSearch.png

    3. In the Search field, type “SAML”.
    4. In the SAML search result, click the configure button.


      ApplicationConfig.png

      The Configuration Settings screen displays.

      ConfigSettingsPg.png

  4. Generate an IdP Private Key and SHA256 Certificate.
    1. In Linux, open the Terminal.
    2. Go to the /tmp directory.
    3. Type the following commands and press ENTER: 
      openssl genrsa -out private.pem 2048
      openssl req -new -x509 -sha256 -key private.pem -out cert.pem -days 1095
    4. In the JumpCloud Admin console, click the Upload IdP Private Key button. The Open dialog displays.


      UploadKeysCerts.png

    5. Go to the /tmp directory.
    6. Select the IdP certificate you generated in step 4c.
    7. Click the Open button. The Open dialog closes. You return to the JumpCloud Admin console.
    8. Click the Upload IdP Certificate button. The Open dialog displays.
    9. Go to the /tmp directory.
    10. Select the IdP certificate you generated in step 4c.
    11. Click the Open button. The Open dialog closes.
  5. Ensure the following values are present in the JumpCloud Admin console.
    1. In the SAMLSUBJECT NAMEID field, ensure the value is “email”.


      OtherValues.png

    2. In the SAMLSUBJECT NAMEID FORMAT field, ensure the value is “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”.
    3. Ensure the SIGNATURE ALGORITHM drop-down menu value is “RSA-SHA256”.
    4. In the IDP-INITIATED URL field, ensure the value is “https://app.threatstack.com”.
  6. Begin the Distributed Cloud AIP integration with JumpCloud.
    1. On the Dashboard page, in the left navigation pane, click Settings. The Settings screen displays.
    2. Click the Authentication tab. The Authentication screen displays.
    3. In the Single Sign-On section, from the Identity Provider drop-down menu, select JumpCloud.
  7. Copy values from Distributed Cloud AIP into the JumpCloud Admin console.
    1. In Distributed Cloud AIP, copy the value in the SSO Assertion Consumer Service URL (ACS URL) field.
    2. In JumpCloud, in the ACS URL field, paste the value copied in step 7a.


      SPEntityAndACSURSL.png

    3. In Distributed Cloud AIP, copy the value in the Audience URI / SP Entity ID field.
    4. In JumpCloud, in the SP ENTITY ID field, paste the value copied in step 7c.
  8. Copy values from the JumpCloud Admin console into Distributed Cloud AIP.
    1. In the JumpCloud Admin console, copy the value in the IDP ENTITY ID field.


      IDPEntityID.png

    2. In Distributed Cloud AIP, in the Identity Provider Issuer URL field, paste the value copied in step 8a.
    3. In the JumpCloud Admin console, copy the value in the IDP URL field.


      IDPURL.png

    4. In Distributed Cloud AIP, in the Identity Provider SAML 2.0 URL field, paste the value copied in step 8c.
  9. In the JumpCloud Admin console, click the activate button.


    ActivateButton.png

    You return to the Applications screen. The Distributed Cloud AIP SSO SAML integration displays.

  10. Clear browser cookies in Google Chrome.
    1. Go to the Distributed Cloud AIP login page.
    2. Right-click on the page. A quick link menu displays.
    3. Click Inspect. The Inspect tool displays.
    4. Select the Application tab.
    5. Expand the Cookies options.
    6. Right-click the Distributed Cloud AIP URL and select Clear.
    7. Close the browser.
    8. Open the browser and log into the Distributed Cloud AIP console as an administrator. The JumpCloud SSO is used to sign into Distributed Cloud AIP.
  11. Remove the IdP Private Key and Certificate from your computer.
    1. Go to the /tmp directory.
    2. Right-click the IdP Certificate and select Move to Trash.
    3. Right-click the IdP Private Key and select Move to Trash.
    4. Empty your Trash.
Configure Okta SSO Integration

Tip

User side-by-side browser windows – one for your Okta organization and one for Distributed Cloud AIP – to complete these instructions.

  1. Log into your Okta organization with administrator credentials. The Dashboard page displays.


    OktaDashboardPage.png

  2. Log into Distributed Cloud AIP. The Dashboard page displays.
  3. Begin the Okta integration with Distributed Cloud AIP.
    1. In the left navigation pane, click the Applications drop-down menu. The Applications section expands.


      OktaApplicationsScreen.png

    2. Click the Applications tab. The Applications screen displays.
    3. Click the Add Application button. The Add Application page displays.


      OktaCreateNewAppButton.png

    4. Click the Create New App button. The Create a New Application Integration dialog displays.


      CreateANewAppDialog.png

    5. In the Sign on method section, select the SAML 2.0 radio button.
    6. Click the Create button. The Create SAML Integration page displays.


      CreateSamlPage1.png

    7. In the App name field, type “Distributed Cloud AIP”.
    8. Click the Next button. The SAML Settings screen displays.


      SAMLSettingsScreen.png

    9. In the General section, in the Single sign on URL field, type “https://app.threatstack.com/sso/saml/callback”.
    10. Ensure the Use this for Recipient URL and Destination URL checkbox is selected.
    11. In the Audience URI (SP Entity ID) field, type “https://app.threatstack.com”.
    12. From the Name ID format drop-down menu, ensure EmailAddress is selected.
    13. From the Application username drop-down menu, ensure Email is selected.
    14. Click the Next button.


      SAMLSettingsScreenNext.png

      The 3 Help Okta Support understand how you configured the application screen displays.

      HelpOktaSupport.png

    15. Select the I’m an Okta customer adding an internal app radio button. Additional fields display.


      HelpOktaSupportFinish.png

    16. Select the This is an internal app that we have created checkbox.
    17. Click the Finish button. The Distributed Cloud AIP integration screen displays.


      ThreatStackIntegrationScreen.png

      Warning

      Do not close this page. You need to access the View Setup Instructions button later in this process.

  4. Begin the Distributed Cloud AIP integration with Okta.
    1. On the Dashboard page, in the left navigation pane, click Settings. The Settings screen displays.


      TSAuthenticationScreen.png

    2. Click the Authentication tab. The Authentication screen displays.
    3. In the Single Sign-On section, from the Identity Provider drop-down menu, select Okta.
  5. Copy values from the Okta organization into Distributed Cloud AIP.
    1. In Okta, in the Settings section, click the View Setup Instructions button.


      ViewSetupInstructionsButton.png

      The How to Configure SAML 2.0 for Distributed Cloud AIP Application page opens.

      HowToCofigSAMLPage.png

    2. On the Okta page, in the Identity Provider Single Sign-On URL field, copy the value.
    3. In Distributed Cloud AIP, in the Identity Provider SAML 2.0 URL field, paste the value copied in step 5b.
    4. On the Okta page, in the Identity Provider Issuer field, copy the value.
    5. In Distributed Cloud AIP, in the Identity Provider Issuer URL field, paste the value copied in step 5d.
    6. On the Okta page, in the X.509 Certificate section, click the Download Certificate button. The certificate downloads as "okta.cert".
    7. In Distributed Cloud AIP, in the Upload your Public Certificate file field, click and upload the Okta cert downloaded in step 5f.
    8. In Distributed Cloud AIP, click the Continue button.


      TSContinueButton.png

      A notification message displays.

    9. Click the Yes button. The notification message closes.
  6. Assign people in the Okta organization to Distributed Cloud AIP.
    1. In Okta, on the Distributed Cloud AIP integration screen, click the Assignments tab. The Assignments screen displays.


      OktaAssignmentsTab.png

    2. Click the Assign drop-down menu.


      AssignDropdown.png

    3. Select Assign to People. The Assign Distributed Cloud AIP to People dialog displays.


      AssignThreatStack.png

    4. Next to a name to add, click the Assign button. The User Name dialog displays.


      UserNameDialog.png

      Confirm the Distributed Cloud AIP email address for the person.

    5. Click the Save and Go Back button. You return to the Assign Distributed Cloud AIP to People dialog.
    6. Repeat steps 6d – 6e for each name to add.
    7. Click the Done button.


      AssignThreatStackDone.png

      You return to the Distributed Cloud AIP integrations screen. Each selected user displays on the page.

      Complete.png

      The first or next time a user logs into Distributed Cloud AIP, they will be prompted to set up their Okta authentication.

Configure OneLogin SSO Integration

Tip

User side-by-side browser windows – one for your OneLogin console interface and one for Distributed Cloud AIP – to complete these instructions.

  1. Log into the OneLogin console with administrator credentials. The Home page displays.

    OneLoginHomepage.png

  2. Log into Distributed Cloud AIP. The Dashboard page displays.
  3. Begin the OneLogin integration with Distributed Cloud AIP.
    1. On the Home page, select Administration. A new tab opens and the Administration page displays.

      AdministrationPage.png

    2. Hover the cursor over the Apps tab and select Add Apps. The Find Applications screen displays.

      FindAppPage.png

    3. In the search… field, type “Distributed Cloud AIP” and press ENTER.
    4. From the search results, click Distributed Cloud AIP SAML2.0.

      SearchResults.png

      The Add Distributed Cloud AIP screen displays.

      AddThreatStackScreen.png

    5. Click the Save button. A confirmation message displays.

      ConfirmationMessage.png

  4. Begin the Distributed Cloud AIP integration with OneLogin.
    1. On the Dashboard page, in the left navigation pane, click Settings. The Settings screen displays.
    2. Click the Authentication tab. The Authentication screen displays.
    3. In the Single Sign-On section, from the Identity Provider drop-down menu, select OneLogin.
  5. Copy information from OneLogin into Distributed Cloud AIP.
    1. In the OneLogin console, click the SSO tab. The SSO screen displays.

      SSOTab.png

    2. In the OneLogin console, copy the value in the Issuer URL field.
    3. In Distributed Cloud AIP, in the Identity Provider Issuer URL field, paste the value copied in step 5b.
    4. In the OneLogin console, copy the value in the SAML 2.0 Endpoint field.
    5. In Distributed Cloud AIP, in the Identity Provider SAML 2.0 URL field, paste the value copied in step 5d.
    6. In the OneLogin console, click the View Details link. The Standard Strength Certificate (2048-bit) screen displays.

      StandStrCert.png

    7. Click the Download button. The certificate downloads to your local machine.
  6. Assign people in OneLogin to Distributed Cloud AIP.
    1. In the OneLogin console, click the Users tab. The All Users screen displays.

      AllUsersScreen.png

    2. In the Search field, type the name of a user to add.
    3. Click the user’s name. Their user screen displays.

      UserPage.png

    4. On their user page, click the Applications tab. The Applications screen displays.

      ApplicationsTab.png

    5. In the Applications section, click the + button. The Assign New Login to [User] dialog displays.

      AssignNewLogin.png

    6. From the Select Application drop-down menu, select Distributed Cloud AIP.
    7. Click the Continue button. The Edit Distributed Cloud AIP Login For [User] dialog displays.

      EditThreatStack.png

    8. Click the Save button. You return to the Applications screen. The Distributed Cloud AIP integration displays.
Was this article helpful?
0 out of 0 found this helpful

Table of Contents

Related articles