About Single Sign-On

In addition to its local authentication and authorization support, ChaosSearch supports single sign on (SSO) integrations with popular identity identity provider (IdP) services such as Auth0, Okta, Google, Azure AD, and others to authenticate and authorize user access.

These topics describe the ChaosSearch SSO models and how to configure them.

Overview of ChaosSearch SP-Initiated SSO Model

In the ChaosSearch service provider (SP) authentication model, users who connect to the ChaosSearch portal initiate a login authentication process as follows:

1. User accesses the ChaosSearch login page and clicks Single Sign On.

2. ChaosSearch redirects to its Auth0 broker through a secure TLS tunnel.

3. Using its ChaosSearch-configured connectors, Auth0 sends a request to the customer's configured SAML IdP connector to authenticate the user.

4. After the user authenticates, the IdP responds to Auth0 with an authentication SAML response/JWT token in the browser.

5. Auth0 sends the proof of key/code exchange token in the browser to ChaosSearch, which uses the information to process and complete the authentication and authorization to the configured ChaosSearch tenant.

To configure the IdP-initiated model, there are required configuration steps and information handoffs between ChaosSearch and the customer IdP admins to set up the connection from the ChaosSearch login page Single Sign On button, through Auth0, to the customer's IdP and back through Auth0 to the ChaosSearch tenant instance.

Overview of ChaosSearch IdP-Initiated Authentication Model

As an alternative to the SP-initiated model, some customers might prefer that their users connect to ChaosSearch from their company's local user portals or access pages rather than from the ChaosSearch login page. This is referred to as an Identity provider (IdP) initiated authentication.

In the IdP-initiated authentication model, users who connect to the ChaosSearch portal initiate a login authentication process as follows:

1. The user logs in and authenticates with their organization's IdP service.

2. Permitted users click a bookmark, link, or application icon (depending on the service) to access ChaosSearch.

3. The user's IdP connects to Auth0 to request access to ChaosSearch.

4. Auth0 verifies the user access request, and sends JWT access information to ChaosSearch, which will verify the information and grant access to the ChaosSearch console.

Just like the SP-initiated model, the IdP-initiated model requires some configuration steps and information handoffs between ChaosSearch and the customer IdP admins to create the connections. In addition, the IdP admins must create links to the ChaosSearch service within the user portals, and grant specific users or groups access to those links, so that users can authenticate locally and and then connect to ChaosSearch by clicking a link in their portal page (rather than going to to the ChaosSearch login page), as in the following example for JumpCloud:

🚧

Carefully consider IdP-initiated authentication and security

An IdP-initiated authentication might be more convenient for users because they have a ChaosSearch link or icon on their main end-user portal for all their applications. However, it is important to note the well-documented security concerns raised by IAM vendors, such as a higher vulnerability to login cross-site request forgery (CSRF) attacks and man-in-the-middle attacks. If you choose an IdP-initiated authentication model for ChaosSearch, make sure that you are aware of the possible security concerns for this mode.

Benefits of Single Sign-On

Using SSO solutions offers the following benefits versus locally defined users and groups:

Reduced password fatigue: Remembering one less password. Users of your organization who are granted access to ChaosSearch do not need to create and remember another password for ChaosSearch to log in and use our features.

Easily manage user access: Administrators can grant/prohibit access to ChaosSearch for their users via their IdP console without having to manage separate user accounts in ChaosSearch. Administrators have less application overhead for managing users and easier overall access control management for changes.

Improved security: Your identity provider manages and sends authentication assertions when users are authenticating to ChaosSearch, instead of passwords that are created by users.