SAML Setup

General

Cloud Defense supports SP-initiated SAML 2.0 SSO. Once setup is complete, you can start this flow from the main login page by clicking on "Sign in with your corporate ID" and entering your corporate email domain on the subsequent page.

SAML Parameters

ACS URLs (Assertion Consumer Service URLs):

1. https://auth.prod.disruptops.com/saml2/idpresponse
2. https://firemon.auth.us-west-2.amazoncognito.com/saml2/idpresponse

Most IdPs allow multiple or additional ACS URLs (verified with Okta, Azure, Ping)

Entity ID: urn:amazon:cognito:sp:us-west-2_sxsZbR4hW

Attribute mapping

You need to map the following attributes

• email
• given_name
• family_name

Once your IdP is set up, communicate your metadata file or URL to FireMon Support for completion.

Each user that is allowed to login with via your IdP will be granted read-only access to Cloud Defense the first time the access the app. This user will be assigned a unique username that includes the user's email.

Google Workspace-specific instructions

1. Go to admin.google.com and select Apps | Web and mobile apps
2. Click on Add app | Add custom SAML app
3. Give your app a name and description
4. Download the metadata, this will need to be communicated to Cloud Defense
5. For ACS URL enter the first ACS URL above (Google Workspace SAML does not support multiple ACS URLs)
6. For Entity ID enter the Entity ID above
7. Leave the rest default and select Continue
8. Map the above attributes to the appropriate Google Directory attributes and select Finish
9. Add users/groups to access for this application (Under User Access)
10. Send the metadata file to Cloud Defense

Okta-specific instructions

1. Go to your Okta account admin apps section: https://YOUR-ACCOUNT.okta.com/admin/apps/active

2. Click Create App Integration.

3. Choose SAML 2.0, click Next.

4. In General Settings:

   • Enter an App name, such as Cloud Defense.
   • Check both Do not display application icon boxes.
   • Click Next.

5. In Configure SAML, General section enter the following:

   • Single sign on URL: enter the first ACS URL above
   • Audience URI: urn:amazon:cognito:sp:us-west-2_sxsZbR4hW
   • Leave all other fields their default value.
   • Select Show Advanced Settings
   • Enter the second ACS URL from above in the Other Requestable SSO URLs section

6. In Configure SAML, Attribute Statements section, add the following attributes, all with Unspecified for Name format:

   • email: user.email
   • given_name: user.firstName
   • family_name: user.lastName

7. Click Next.

8. In Feedback, choose I'm an Okta customer, and This is an internal app, click Finish.

9. On the Sign On tab, in the SAML Signing Certificates section, click the 'Actions' dropdown for the Active certificate, then right-click View IdP metadata then click Copy Link Address. If that exact procedure doesn't work you can go to the IdP metadata web page and copy the URL from there. You will need to provide this to Cloud Defense personel, they will complete the setup and tie it to your corporate email domain.

10. On the Assignments tab, assign the app to your users and groups.

After Cloud Defense support has completed your SAML integration, you should be able to access the Cloud Defense app via SAML by clicking "Sign in with your corporate ID" at the bottom of the login page, then entering your corporate email domain. You can also go to the URL below, with YOUR_DOMAIN_NAME replaced with your corporate email domain:

https://app.defense.firemon.cloud/sign-in/corporate/YOUR_DOMAIN_NAME

Okta Bookmark App

You can add this to your end user dashboard by adding a bookmark:

1. Go to your Okta account admin apps section: https://YOUR-ACCOUNT.okta.com/admin/apps/active
2. Click 'Browse App Catalog`.
3. Search for and click Bookmark App.
4. Click `Add'.
5. Enter an Application label, such as Cloud Defense.
6. Enter the URL provided to you by Cloud Defense support.
7. Leave the boxes unchecked and click Done.
8. On the Assignments tab, assign the app to your users and groups.