Configuring Single Sign On

If you plan to use SSO authentication for your ChaosSearch users, it is important to work with your ChaosSearch representative to gather the necessary information to set up the SSO connections. Be sure to discuss and plan for the following SSO configuration details:

• Your IdP application and version (if applicable), and if there are any special configuration details for your site
• Whether you plan to use the SP-initiated login model, or the IdP bookmark-style authentication model
• If you want the SSO users to be managed as JIT users or as husk/ephemeral users

📘

Consult the IAM administrator at your site and/or review any IdP details for SSO setup.

In most cases, SSO setup includes procedures to create connections, to prepare/download an X.509 certificate that will be required for access verification, and some required connection details from ChaosSearch. It can be helpful to familiarize yourself with the requirements of your IdP to understand the configuration requirements.

Typical SSO Configuration Workflow

The following are the main steps to configure SSO authentication with ChaosSearch:

1. ChaosSearch team engineers use our Auth0 broker to define a connection to the customer IdP. As output from this process, ChaosSearch provides the customer with some initial required input that is used for the customer's IdP configuration steps, such as:

   • Single sign on URL: https://customer-chaossearch.auth0.com/login/callback (this link is an example)
   • Audience URI (SP Entity ID): urn:auth0:customer-chaossearch:customer-idp

2. The customer IdP administrators use the supplied input to define a connection to Auth0 for their ChaosSearch user access requests. Although configuration procedures vary for IdP applications, the output is usually a set of data similar to the following that the customer provides to ChaosSearch to complete the Auth0 connection setup:

   • Identity Provider Single Sign-On URL
   • X.509 Certificate

3. ChaosSearch completes the configuration in Auth0 with the IdP SSO URL and the X.509 certificate to ensure that the Single Sign On connections are properly routed, and to ensure that the X.509 certificate is available for ChaosSearch to process the authentication information delivered by Auth0.

In addition to the connection steps, the are additional steps that are typically required, such as:

• User access to ChaosSearch -- steps to define the users that should be granted access permission
• Group/role authorization -- how to define the various types of roles needed for your users and how to assign them within the IdP entitlement procedures
• Portal setup -- for IdP-initiated SSO connections, how to define the user-visible bookmarks or links for ChaosSearch access

📘

Group Rollout Best Practices

Initially, it is a good idea to create one test SSO user assigned to the default group to verify that the SSO connections are working. Then, add more users and more groups to set the desired authorizations for testing/production. Remember that a group defined in your IdP must have the exact same name as a group defined in ChaosSearch for the authorizations to be properly assigned to users.

The following topics describe how to configure SSO connections for some popular IdP applications.