diff --git a/docs/2.18/admin-en/configuration-guides/sso/change-sso-provider.md b/docs/2.18/admin-en/configuration-guides/sso/change-sso-provider.md deleted file mode 100644 index 26e40101ac..0000000000 --- a/docs/2.18/admin-en/configuration-guides/sso/change-sso-provider.md +++ /dev/null @@ -1 +0,0 @@ ---8<-- "latest/admin-en/configuration-guides/sso/change-sso-provider.md" diff --git a/docs/3.6/admin-en/configuration-guides/sso/change-sso-provider.md b/docs/3.6/admin-en/configuration-guides/sso/change-sso-provider.md deleted file mode 100644 index 26e40101ac..0000000000 --- a/docs/3.6/admin-en/configuration-guides/sso/change-sso-provider.md +++ /dev/null @@ -1 +0,0 @@ ---8<-- "latest/admin-en/configuration-guides/sso/change-sso-provider.md" diff --git a/docs/4.10/admin-en/configuration-guides/sso/change-sso-provider.md b/docs/4.10/admin-en/configuration-guides/sso/change-sso-provider.md deleted file mode 100644 index 26e40101ac..0000000000 --- a/docs/4.10/admin-en/configuration-guides/sso/change-sso-provider.md +++ /dev/null @@ -1 +0,0 @@ ---8<-- "latest/admin-en/configuration-guides/sso/change-sso-provider.md" diff --git a/docs/4.8/admin-en/configuration-guides/sso/change-sso-provider.md b/docs/4.8/admin-en/configuration-guides/sso/change-sso-provider.md deleted file mode 100644 index 26e40101ac..0000000000 --- a/docs/4.8/admin-en/configuration-guides/sso/change-sso-provider.md +++ /dev/null @@ -1 +0,0 @@ ---8<-- "latest/admin-en/configuration-guides/sso/change-sso-provider.md" diff --git a/docs/5.0/admin-en/configuration-guides/sso/change-sso-provider.md b/docs/5.0/admin-en/configuration-guides/sso/change-sso-provider.md deleted file mode 100644 index 26e40101ac..0000000000 --- a/docs/5.0/admin-en/configuration-guides/sso/change-sso-provider.md +++ /dev/null @@ -1 +0,0 @@ ---8<-- "latest/admin-en/configuration-guides/sso/change-sso-provider.md" diff --git a/docs/5.0/admin-en/configuration-guides/sso/gsuite/overview.md b/docs/5.0/admin-en/configuration-guides/sso/gsuite/overview.md deleted file mode 100644 index 0f64da9538..0000000000 --- a/docs/5.0/admin-en/configuration-guides/sso/gsuite/overview.md +++ /dev/null @@ -1 +0,0 @@ ---8<-- "latest/admin-en/configuration-guides/sso/gsuite/overview.md" diff --git a/docs/5.0/admin-en/configuration-guides/sso/intro.md b/docs/5.0/admin-en/configuration-guides/sso/intro.md index 21c6700afd..26027b16c0 100644 --- a/docs/5.0/admin-en/configuration-guides/sso/intro.md +++ b/docs/5.0/admin-en/configuration-guides/sso/intro.md @@ -1 +1 @@ ---8<-- "latest/admin-en/configuration-guides/sso/intro.md" +--8<-- "latest/admin-en/configuration-guides/sso/intro.md" \ No newline at end of file diff --git a/docs/5.0/admin-en/configuration-guides/sso/okta/overview.md b/docs/5.0/admin-en/configuration-guides/sso/okta/overview.md deleted file mode 100644 index aad810772b..0000000000 --- a/docs/5.0/admin-en/configuration-guides/sso/okta/overview.md +++ /dev/null @@ -1 +0,0 @@ ---8<-- "latest/admin-en/configuration-guides/sso/okta/overview.md" diff --git a/docs/5.0/admin-en/configuration-guides/sso/setup.md b/docs/5.0/admin-en/configuration-guides/sso/setup.md new file mode 100644 index 0000000000..c7312fc0ef --- /dev/null +++ b/docs/5.0/admin-en/configuration-guides/sso/setup.md @@ -0,0 +1 @@ +--8<-- "latest/admin-en/configuration-guides/sso/setup.md" \ No newline at end of file diff --git a/docs/5.0/admin-en/configuration-guides/sso/sso-gsuite.md b/docs/5.0/admin-en/configuration-guides/sso/sso-gsuite.md new file mode 100644 index 0000000000..498ac5ac64 --- /dev/null +++ b/docs/5.0/admin-en/configuration-guides/sso/sso-gsuite.md @@ -0,0 +1 @@ +--8<-- "latest/admin-en/configuration-guides/sso/sso-gsuite.md" \ No newline at end of file diff --git a/docs/5.0/admin-en/configuration-guides/sso/sso-okta.md b/docs/5.0/admin-en/configuration-guides/sso/sso-okta.md new file mode 100644 index 0000000000..7644c99038 --- /dev/null +++ b/docs/5.0/admin-en/configuration-guides/sso/sso-okta.md @@ -0,0 +1 @@ +--8<-- "latest/admin-en/configuration-guides/sso/sso-okta.md" \ No newline at end of file diff --git a/docs/5.0/admin-en/configuration-guides/sso/troubleshooting.md b/docs/5.0/admin-en/configuration-guides/sso/troubleshooting.md new file mode 100644 index 0000000000..73abb9893d --- /dev/null +++ b/docs/5.0/admin-en/configuration-guides/sso/troubleshooting.md @@ -0,0 +1 @@ +--8<-- "latest/admin-en/configuration-guides/sso/troubleshooting.md" \ No newline at end of file diff --git a/docs/latest/admin-en/configuration-guides/ldap/ldap.md b/docs/latest/admin-en/configuration-guides/ldap/ldap.md index 98a076324f..65cbd4dda4 100644 --- a/docs/latest/admin-en/configuration-guides/ldap/ldap.md +++ b/docs/latest/admin-en/configuration-guides/ldap/ldap.md @@ -1,6 +1,6 @@ # Using LDAP -You can use LDAP technology to authenticate your company's users to the Wallarm portal if your company already uses a LDAP solution. This article describes how to configure an LDAP integration with your directory service. +You can use LDAP technology to authenticate your company's users to the Wallarm Console if your company already uses a LDAP solution. This article describes how to configure an LDAP integration with your directory service. ## Overview diff --git a/docs/latest/admin-en/configuration-guides/sso/change-sso-provider.md b/docs/latest/admin-en/configuration-guides/sso/change-sso-provider.md deleted file mode 100644 index 39263268d9..0000000000 --- a/docs/latest/admin-en/configuration-guides/sso/change-sso-provider.md +++ /dev/null @@ -1,51 +0,0 @@ -# Changing the Configured SSO Authentication - -[img-disable-sso-provider]: ../../../images/admin-guides/configuration-guides/sso/disable-sso-provider.png - -[doc-setup-sso-gsuite]: gsuite/overview.md -[doc-setup-sso-okta]: okta/overview.md - -[anchor-edit]: #editing -[anchor-disable]: #disabling -[anchor-remove]: #removing - -You can [edit][anchor-edit], [disable][anchor-disable] or [remove][anchor-remove] configured SSO authentication. - -!!! warning "Attention: SSO will be disabled for all users" - Note that when you disable or remove SSO authentication, it will be disabled for all users. Users will be notified that SSO authentication is disabled and the password needs to be restored. - -## Editing - -To edit configured SSO authentication: - -1. Go to **Settings → Integration** in Wallarm UI. -2. Select the **Edit** option in configured SSO provider menu. -3. Update SSO provider details and **Save changes**. - -## Disabling - -To disable SSO, go to *Settings → Integration*. Click on the block of the corresponding SSO provider and then on the *Disable* button. - -![disabling-sso-provider][img-disable-sso-provider] - -In the pop-up window, it is required to confirm the disabling of the SSO provider, as well as the disabling of the SSO authentication of all users. -Click *Yes, disable*. - -After confirmation, the SSO provider will be disconnected, but its settings will be saved and you can enable this provider again in the future. In addition, after disabling, you will be able to connect another SSO provider (another service as an identity provider). - -## Removing - -!!! warning "Attention: About removing the SSO provider" - Compared to disabling, removing the SSO provider will cause the loss of all its settings without the possibility of recovery. - - If you need to reconnect your provider, you will need to reconfigure it. - - -Removing the SSO provider is similar to disabling it. - -Go to *Settings → Integration*. Click on the block of the corresponding SSO provider and then on the *Remove* button. - -In the pop-up window, it is required to confirm the removing of the provider, as well as to disable SSO authentication of all users. -Click *Yes, remove*. - -After confirmation, the selected SSO provider will be removed and will no longer be available. Also, you will be able to connect to another SSO provider. diff --git a/docs/latest/admin-en/configuration-guides/sso/employ-user-auth.md b/docs/latest/admin-en/configuration-guides/sso/employ-user-auth.md index 35deeeacea..dd3a3aeab6 100644 --- a/docs/latest/admin-en/configuration-guides/sso/employ-user-auth.md +++ b/docs/latest/admin-en/configuration-guides/sso/employ-user-auth.md @@ -1,4 +1,4 @@ -# Configuring SSO authentication for users +# Selecting SSO Users [img-enable-sso-for-user]: ../../../images/admin-guides/configuration-guides/sso/enable-sso-for-user.png [img-disable-sso-for-user]: ../../../images/admin-guides/configuration-guides/sso/disable-sso-for-user.png @@ -12,17 +12,17 @@ [anchor-enable]: #enabling-sso-authentication-for-users [anchor-disable]: #disabling-sso-authentication-for-users -You can [enable][anchor-enable] or [disable][anchor-disable] SSO authentication to Wallarm portal users. +When in **Simple SSO (legacy)** [mode](intro.md#sso-modes), you can select users for whom the SSO authentication will be available. -## Enabling SSO authentication for users +## Enabling SSO for user !!! warning * When enabling SSO authentication for users, a login/password log in mechanism and the two-factor authentication will not be available. When SSO authentication is enabled, the user's password is erased and two-factor authentication is disabled. * It is assumed that you have already given the required group of users access to the configured Wallarm application on the [Okta][doc-allow-access-okta] or [G Suite][doc-allow-access-gsuite] side. -To enable SSO authentication for Wallarm users: +To enable SSO authentication for Wallarm user: 1. Go to **Settings** → **Users**. 1. From the user menu, select **Enable SSO login**. @@ -35,9 +35,9 @@ After that, the user [can authenticate][doc-user-sso-guide] through the identity Note that you can also enable SSO for all company account users using the [Strict SSO](#strict-sso-mode) mode. -## Disabling SSO authentication for users +## Disabling SSO for user -To disable SSO authentication for Wallarm users: +To disable SSO authentication for Wallarm user: 1. Go to **Settings** → **Users**. 1. From the user menu, select **Disable SSO**. @@ -45,39 +45,3 @@ To disable SSO authentication for Wallarm users: ![Disabling SSO for Wallarm user][img-disable-sso-for-user] After that, the user will be notified by an email that the login using SSO is disabled with a suggestion (link) to restore the password to log in with the login/password pair. In addition, two-factor authentication becomes available to the user. - -## SSO and API authentication - -When SSO is enabled for the user, authentication for [requests to Wallarm API](../../../api/overview.md#your-own-api-client) becomes unavailable for this user. To get working API credentials, you have two options: - -* If the **strict SSO** mode is not used, create user without SSO option under your company account, and create [API token(s)](../../../api/overview.md#your-own-api-client). -* If the **strict SSO** mode is used, you can enable API authentication for the SSO users with the **Administrator** role. To do this, select **Enable API access** from this user menu. The `SSO+API` auth method is enabled for the user which allows creating API tokens. - - Later you can disable API authentication for the user by selecting **Disable API access**. If this is done, all existing API tokens will be deleted and in a week - removed. - -## Strict SSO mode - -Wallarm supports the **strict SSO** mode that differs from the regular SSO in that it enables SSO authentication for all company account users at once. Other characteristics of the strict SSO mode are: - -* The authentication method for all existing users of the account is switched to SSO. -* All new users get the SSO as the authentication method by default. -* Authentication method cannot be switched to anything different from SSO for any user. - -To enable or disable the strict SSO mode, contact the [Wallarm support team](mailto:support@wallarm.com). - -!!! info "How active sessions are treated when enabling strict SSO" - If there are any users signed into the company account when it is switched to the strict SSO mode, these sessions remain active. After sign out, the users will be prompted to use SSO. - -## SSO authentication troubleshooting - -If the user cannot sign in via SSO, the error message is displayed with one of the error codes described in the table below. In most cases, the company account administrator can fix these errors: - -| Error code | Description | How to fix | -|--|--|--| -| `saml_auth_not_found + userid` | User does not have SSO enabled. | Enable SSO as described in the section [above](#enabling-sso-authentication-for-users). | -| `saml_auth_not_found + clientid` | Client does not have an SSO integration in the **Integrations** section. | Follow the instructions in the [integration with the SAML SSO](intro.md) documentation. | -| `invalid_saml_response` or `no_mail_in_saml_response` | The SSO provider gave an unexpected response. It may be a sign of a misconfigured SSO integration. | Do one of the following:
| -| `user_not_found` | Wallarm did not find the user with the specified email. | Create a user with this email in Wallarm Console. | -| `client_not_found` | The company account was not found in Wallarm. | Create a user account with an appropriate email domain, which will create the company account immediately. | - - If necessary, administrator can contact the [Wallarm support team](mailto:support@wallarm.com) to get help in fixing any of these errors. \ No newline at end of file diff --git a/docs/latest/admin-en/configuration-guides/sso/gsuite/overview.md b/docs/latest/admin-en/configuration-guides/sso/gsuite/overview.md deleted file mode 100644 index 6eeb74debd..0000000000 --- a/docs/latest/admin-en/configuration-guides/sso/gsuite/overview.md +++ /dev/null @@ -1,33 +0,0 @@ -# Connecting SSO with G Suite - -[doc-setup-sp]: setup-sp.md -[doc-setup-idp]: setup-idp.md -[doc-metadata-transfer]: metadata-transfer.md -[doc-allow-access-to-wl]: allow-access-to-wl.md - -[doc-user-sso-guide]: ../../../../user-guides/use-sso.md - -[doc-employ-sso]: ../employ-user-auth.md -[doc-disable-sso]: ../change-sso-provider.md - -[link-gsuite]: https://gsuite.google.com/ - -This guide will cover the process of connecting the [G Suite][link-gsuite] (Google) service as an identity provider to Wallarm, which acts as the service provider. - -!!! note - By default, SSO connection on Wallarm is not available without activating the appropriate service. To activate the SSO service, please contact your account manager or the [Wallarm support team](mailto:support@wallarm.com). - - After activating the service - - * you will be able to perform the following SSO connection procedure, and - * the SSO-related blocks will be visible in the “Integrations” tab. - - In addition, you need accounts with administration rights both for Wallarm and G Suite. - -The process of connecting SSO with G Suite comprises the following steps: -1. [Generating Parameters on the Wallarm Side.][doc-setup-sp] -2. [Creating and Configuring an Application in G Suite.][doc-setup-idp] -3. [Transferring G Suite Metadata to the Wallarm Setup Wizard.][doc-metadata-transfer] -4. [Allowing Access to the Wallarm Application on the G Suite Side][doc-allow-access-to-wl] - -After that, [configure SSO authentication][doc-employ-sso] for Wallarm users. diff --git a/docs/latest/admin-en/configuration-guides/sso/gsuite/setup-sp.md b/docs/latest/admin-en/configuration-guides/sso/gsuite/setup-sp.md index 1e1bb1a6e2..f85c9503ee 100644 --- a/docs/latest/admin-en/configuration-guides/sso/gsuite/setup-sp.md +++ b/docs/latest/admin-en/configuration-guides/sso/gsuite/setup-sp.md @@ -1,9 +1,6 @@ -[img-gsuite-sso-provider-wl]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/gsuite-sso-provider-wl.png -[img-sp-metadata]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/sp-metadata.png -[doc-setup-idp]: setup-idp.md -# Step 1: Generating Parameters on the Wallarm Side (G Suite) +# Step 1: Generating Parameters on the Wallarm side (G Suite) To connect SSO with G Suite, you will first need to generate some parameters on the Wallarm side. diff --git a/docs/latest/admin-en/configuration-guides/sso/intro.md b/docs/latest/admin-en/configuration-guides/sso/intro.md index 6059bcbe20..c5decece63 100644 --- a/docs/latest/admin-en/configuration-guides/sso/intro.md +++ b/docs/latest/admin-en/configuration-guides/sso/intro.md @@ -1,22 +1,28 @@ -# Overview of integration with the SAML SSO solution +# SAML SSO Authentication Overview -[doc-admin-sso-gsuite]: gsuite/overview.md -[doc-admin-sso-okta]: okta/overview.md +You can use single sign‑on (SSO) technology to authenticate your company's users to the Wallarm Console. Wallarm seamlessly integrates with any identity provider (IdP) that supports the SAML standard, such as Google or Okta, while acting as the service provider (SP). -[link-saml]: https://wiki.oasis-open.org/security/FrontPage -[link-saml-sso-roles]: https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf +![Integrations - SSO](../../../../images/admin-guides/configuration-guides/sso/sso-integration-add.png) -You can use Single Sign‑On (SSO) technology to authenticate your company's users to the Wallarm portal if your company already uses a [SAML][link-saml] SSO solution. +## Available options -Wallarm can be integrated with any solution that supports the SAML standard. The SSO guides describe integration using [Okta][doc-admin-sso-okta] or [Google Suite (G Suite)][doc-admin-sso-gsuite] as an example. +You can set up Wallarm SSO integration with or without **provisioning**. Provisioning is an automatic transfer of data from SAML SSO solution to Wallarm: your SAML SSO solution users and their group membership define access to Wallarm and permissions there; all user management is performed on SAML SSO solution side. -The documents related to the configuration and operation of Wallarm with SSO assume the following: -* Wallarm acts as a **service provider** (SP). -* Google or Okta acts as an **identity provider** (IdP). +With **provisioning off**, for users that you have in your SAML SSO solution, you need to create corresponding users in Wallarm. User roles are also defined in Wallarm and you are able to select users that should login via SSO - the remaining will use login/password. You can also enable **Strict SSO** option which enables SSO authentication for all company account users at once. -More information about roles in SAML SSO can be found here ([PDF][link-saml-sso-roles]). +Users using SSO: -!!! warning "Enabling the SSO service" - By default, SSO connection on Wallarm is not available without activating the appropriate service. To activate the SSO service, please contact your account manager or the [Wallarm support team](mailto:support@wallarm.com). - - If no SSO service is activated, then SSO-related blocks will not be visible in the **Integrations** section in Wallarm Console. \ No newline at end of file +* Cannot authenticate with login and password and cannot have two-factor authentication (2FA) enabled. +* With provisioning, cannot be disabled or deleted from Wallarm side. + +See details on provisioning and options available when you do not use it [here](setup.md#step-4-saml-sso-solution-configure-provisioning). + +## Enabling and setup + +By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the **Integrations** section in Wallarm Console. + +To activate the SSO service, contact the [Wallarm support team](https://support.wallarm.com/). + +Once service activated, you can set it up, providing necessary configuration both on Wallarm side and on the side of your SAML SSO solution. See details [here](setup.md). + +Note that although Wallarm can be integrated with any solution that supports the SAML standard, there can be only one active SSO integration at a time. diff --git a/docs/latest/admin-en/configuration-guides/sso/okta/overview.md b/docs/latest/admin-en/configuration-guides/sso/okta/overview.md deleted file mode 100644 index 4729a9f4ec..0000000000 --- a/docs/latest/admin-en/configuration-guides/sso/okta/overview.md +++ /dev/null @@ -1,34 +0,0 @@ -# Connecting SSO with Okta - -[doc-setup-sp]: setup-sp.md -[doc-setup-idp]: setup-idp.md -[doc-metadata-transfer]: metadata-transfer.md -[doc-allow-access-to-wl]: allow-access-to-wl.md - -[doc-user-sso-guide]: ../../../../user-guides/use-sso.md - -[doc-employ-sso]: ../employ-user-auth.md -[doc-disable-sso]: ../change-sso-provider.md - -[link-okta]: https://www.okta.com/ - -This guide will cover the process of connecting the [Okta][link-okta] service as an identity provider to Wallarm, which acts as the service provider. - -!!! note - - By default, SSO connection on Wallarm is not available without activating the appropriate service. To activate the SSO service, please contact your account manager or the [Wallarm support team](mailto:support@wallarm.com). - - After activating the service - - * you will be able to perform the following SSO connection procedure, and - * the SSO-related blocks will be visible in the “Integrations” tab. - - In addition, you need accounts with administration rights both for Wallarm and Okta. - -The process of connecting SSO with Okta comprises the following steps: -1. [Generating Parameters on the Wallarm Side.][doc-setup-sp] -2. [Creating and Configuring an Application in Okta.][doc-setup-idp] -3. [Transferring Okta Metadata to the Wallarm Setup Wizard.][doc-metadata-transfer] -4. [Allowing Access to the Wallarm Application on the Okta Side][doc-allow-access-to-wl] - -After that, [configure SSO authentication][doc-employ-sso] for Wallarm users. diff --git a/docs/latest/admin-en/configuration-guides/sso/setup.md b/docs/latest/admin-en/configuration-guides/sso/setup.md new file mode 100644 index 0000000000..f09cb0d09c --- /dev/null +++ b/docs/latest/admin-en/configuration-guides/sso/setup.md @@ -0,0 +1,107 @@ +# SAML SSO Authentication Setup + +[img-disable-sso-provider]: ../../../images/admin-guides/configuration-guides/sso/disable-sso-provider.png +[doc-setup-sso-gsuite]: gsuite/overview.md +[doc-setup-sso-okta]: okta/overview.md + +This article describes the generic flow of enabling and configuring Wallarm's [SAML SSO Authentication](intro.md). + +You can also get acquainted with examples for [G Suite](sso-gsuite.md) and [Okta](sso-okta.md) SAML SSO solutions. + +## Step 1: Activate SSO service + +By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the **Integrations** section in Wallarm Console. + +To activate the SSO service, contact the [Wallarm support team](https://support.wallarm.com/). + +## Step 2 (Wallarm): Generate metadata + +You need Wallarm metadata to enter on the SAML SSO solution side: + +1. In Wallarm Console, go to **Integrations** → **SSO SAML AUTHENTICATION** and initiate the appropriate integration. + + You can integrate Google, Okta or any other (**Custom**) SAML SSO solution. Note that only one SSO integration can be active at the moment. + + ![Integrations - SSO](../../../../images/admin-guides/configuration-guides/sso/sso-integration-add.png) + +1. In the SSO configuration wizard, at the **Send details** step, overview the metadata to be sent to your SAML SSO solution. +1. Copy metadata or save them as XML. + +## Step 3 (SAML SSO solution): Configure application + +1. Log in to your SAML SSO solution. +1. Configure application that will provide access to Wallarm. +1. Copy the application's metadata or save them as XML. +1. Make sure the application is activated and users have access to it. + +## Step 4 (SAML SSO solution): Configure provisioning + +The **provisioning** is an automatic transfer of data from SAML SSO solution to Wallarm: your SAML SSO solution users and their group membership define access to Wallarm and permissions there; all user management is performed on SAML SSO solution side. + +For this to work, provide the attribute mapping: + +1. In the application providing access to Wallarm, map the attributes: + + * `email` + * `first_name` + * `last_name` + * user group(s) to `wallarm_role:[role]` where `role` is: + + * `admin` (**Administrator**) + * `analytic` (**Analyst**) + * `api_developer` (**API Developer**) + * `auditor` (**Read Only**) + * `partner_admin` (**Global Administrator**) + * `partner_analytic` (**Global Analyst**) + * `partner_auditor` (**Global Read Only**) + + See all role descriptions [here](../../../user-guides/settings/users.md#user-roles). + + If your SAML SSO solution does not support mapping of groups to different attributes, map all groups to `wallarm_roles` tag (like in [case](sso-gsuite.md#step-4-g-suite-configure-provisioning-part-1) of Google), and then map groups to roles on the Wallarm side - see [step 6](#step-6-wallarm-configure-provisioning-optional). + +1. Save the changes. + +**Turning provisioning off** + +You can turn the provisioning option off by contacting the [Wallarm support team](https://support.wallarm.com/). If it is off, for users that you have in your SAML SSO solution, you will need to create corresponding users in Wallarm. User roles should also be defined in Wallarm Console. + +With provisioning turned off, you should manually create users, set their roles and select users that should login via SSO - the remaining will use login/password. By your request, Wallarm support can also turn on **Strict SSO** option which enables SSO authentication for all company account users at once. Other characteristics of Strict SSO are: + +* The authentication method for all existing users of the account is switched to SSO. +* All new users get the SSO as the authentication method by default. +* Authentication method cannot be switched to anything different from SSO for any user. + +When provisioning is off, user management is performed in Wallarm Console → **Settings** → **Users** as described [here](../../../user-guides/settings/users.md). Mapping with SAML SSO solution uses only the `email` attribute. + +## Step 5 (Wallarm): Enter SSO SAML solution metadata + +1. In Wallarm Console, in the SSO configuration wizard, proceed to the **Upload metadata** step. +1. Do one of the following: + + * Upload G Suite metadata as an XML file. + * Enter metadata manually. + +## Step 6 (Wallarm): Configure provisioning (optional) + +This step only should be fulfilled if your SAML SSO solution does not support mapping of groups to different attributes and all groups are mapped to `wallarm_roles` tag (like in [case](sso-gsuite.md#step-4-g-suite-configure-provisioning-part-1) of Google). + +1. Proceed to the **Roles mapping** step. +1. Map one or several SSO groups to Wallarm roles. Available roles are: + + * `admin` (**Administrator**) + * `analytic` (**Analyst**) + * `api_developer` (**API Developer**) + * `auditor` (**Read Only**) + * `partner_admin` (**Global Administrator**) + * `partner_analytic` (**Global Analyst**) + * `partner_auditor` (**Global Read Only**) + + See all role descriptions [here](../../../user-guides/settings/users.md#user-roles). + + ![SSO groups to Wallarm roles - mapping in Wallarm](../../../../images/admin-guides/configuration-guides/sso/sso-mapping-in-wallarm.png) + +1. Complete SSO configuration wizard. Wallarm will test if data to/from your SAML SSO Solution can now be transferred. + +## Disabling and deletion + +You can disable and delete SSO in the **Integrations** section only when [provisioning](#step-4-saml-sso-solution-configure-provisioning) is off. To turn it off, contact the [Wallarm support team](https://support.wallarm.com/). diff --git a/docs/latest/admin-en/configuration-guides/sso/sso-gsuite.md b/docs/latest/admin-en/configuration-guides/sso/sso-gsuite.md new file mode 100644 index 0000000000..b19bc46fa9 --- /dev/null +++ b/docs/latest/admin-en/configuration-guides/sso/sso-gsuite.md @@ -0,0 +1,135 @@ +# Connecting SSO with G Suite + +[img-gsuite-console]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/gsuite-console.png +[img-gsuite-add-app]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/gsuite-add-app.png +[img-fetch-metadata]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/gsuite-fetch-metadata.png +[img-fill-in-sp-data]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/gsuite-fill-in-sp-data.png +[img-app-page]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/gsuite-app-page.png +[link-gsuite-adm-console]: https://admin.google.com +[img-sp-wizard-transfer-metadata]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/sp-wizard-transfer-metadata.png +[img-transfer-metadata-manually]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/transfer-metadata-manually.png +[img-sp-wizard-finish]: ../../../../images/admin-guides/configuration-guides/sso/gsuite/sp-wizard-finish.png + +This guide covers the process of connecting the [G Suite](https://gsuite.google.com/) (Google) service as an identity provider to Wallarm, which acts as the service provider. + +To fulfill steps, you need accounts with administration rights both for Wallarm and G Suite. + +## Step 1 (Wallarm): Activate SSO service + +By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the **Integrations** section in Wallarm Console. + +To activate the SSO service, contact the [Wallarm support team](https://support.wallarm.com/). + +## Step 2 (Wallarm): Generate metadata + +You need Wallarm metadata to enter on the G Suite side: + +1. In Wallarm Console, go to **Integrations** → **SSO SAML AUTHENTICATION** and initiate the **Google SSO** configuration. + + ![Integrations - SSO](../../../../images/admin-guides/configuration-guides/sso/sso-integration-add.png) + +1. In the SSO configuration wizard, at the **Send details** step, overview the Wallarm metadata, that should be passed to the G Suite service. + + ![Wallarm's metadata](../../../../images/admin-guides/configuration-guides/sso/gsuite/sp-metadata.png) + + * **Wallarm Entity ID** is a unique application identifier generated by the Wallarm application for the identity provider. + * **Assertion Consumer Service URL (ACS URL)** is the address on the Wallarm side of the application on which identity provider sends requests with the SamlResponse parameter. + +1. Copy metadata or save them as XML. + +## Step 3 (G Suite): Configure application + +To configure application in G Suite: + +1. Log in to the Google [admin console][link-gsuite-adm-console]. +1. Go to **Apps**. + + ![G Suite admin console][img-gsuite-console] + +1. Click **SAML apps** → **Add a service/App to your domain**. +1. Click **Setup my own custom app**. + + ![Adding a new application to G Suite][img-gsuite-add-app] + + You will be provided with G Suite metadata: + + * **SSO URL** + * **Entity ID** + * **Certificate** (X.509) + +1. Copy metadata or save them as XML. +1. Click **Next**. + + ![Saving metadata][img-fetch-metadata] + +1. Enter the Wallarm's metadata. Required fields: + + * **ACS URL** = **Assertion Consumer Service URL** parameter in Wallarm. + * **Entity ID** = the **Wallarm Entity ID** parameter in Wallarm. + +1. Fill in the remaining parameters if required, and click **Next**. + + ![Filling in service provider information][img-fill-in-sp-data] + +1. Click **Finish**. You will be redirected to the page of the created application. + + ![Application page in G Suite][img-app-page] + +1. Provide G Suite users with access to the created application by via **Edit Service** → **Service status** → **ON for everyone**. +1. Save the changes. + +## Step 4 (G Suite): Configure provisioning - part 1 + +The **provisioning** is an automatic transfer of data from SAML SSO solution (G Suite) to Wallarm: your G Suite users and their group membership define access to Wallarm and permissions there; all user management is performed on G Suite side. + +For this to work, provide the attribute mapping: + +1. In G Suite application, via **Add new mapping**, map: + + * `email` + * `first_name` + * `last_name` + * user group(s) to `wallarm_roles` tag + + ![SAML SSO solution - G Suite - Mapping](../../../images/admin-guides/configuration-guides/sso/simple-sso-mapping.png) + +1. Save the changes. + + Configuring provisioning will continue in [step 6](#step-6-wallarm-configure-provisioning---part-2) on Wallarm side. + +## Step 5 (Wallarm): Enter G Suite metadata + +1. In Wallarm Console, in the SSO configuration wizard, proceed to the **Upload metadata** step. +1. Do one of the following: + + * Upload G Suite metadata as an XML file. + + ![Metadata uploading][img-sp-wizard-transfer-metadata] + + * Enter metadata manually as follows: + + * **SSO URL** → **Identity provider SSO URL** + * **Entity ID** → **Identity provider issuer** + * **Certificate** → **X.509 Certificate** + + ![Entering the metadata manually][img-transfer-metadata-manually] + + +## Step 6 (Wallarm): Configure provisioning - part 2 + +1. Proceed to the **Roles mapping** step. +1. Map one or several SSO groups to Wallarm roles. Available roles are: + + * `admin` (**Administrator**) + * `analytic` (**Analyst**) + * `api_developer` (**API Developer**) + * `auditor` (**Read Only**) + * `partner_admin` (**Global Administrator**) + * `partner_analytic` (**Global Analyst**) + * `partner_auditor` (**Global Read Only**) + + See all role descriptions [here](../../../user-guides/settings/users.md#user-roles). + + ![SSO groups to Wallarm roles - mapping in Wallarm](../../../../images/admin-guides/configuration-guides/sso/sso-mapping-in-wallarm.png) + +1. Complete SSO configuration wizard. Wallarm will test if data to/from your G Suite can now be transferred. diff --git a/docs/latest/admin-en/configuration-guides/sso/sso-okta.md b/docs/latest/admin-en/configuration-guides/sso/sso-okta.md new file mode 100644 index 0000000000..23944fda50 --- /dev/null +++ b/docs/latest/admin-en/configuration-guides/sso/sso-okta.md @@ -0,0 +1,126 @@ +# Connecting SSO with Okta + +[link-okta]: https://www.okta.com/ +[img-dashboard]: ../../../../images/admin-guides/configuration-guides/sso/okta/dashboard.png +[img-general]: ../../../../images/admin-guides/configuration-guides/sso/okta/wizard-general.png +[img-saml]: ../../../../images/admin-guides/configuration-guides/sso/okta/wizard-saml.png +[img-saml-preview]: ../../../../images/admin-guides/configuration-guides/sso/okta/wizard-saml-preview.png +[img-feedback]: ../../../../images/admin-guides/configuration-guides/sso/okta/wizard-feedback.png +[link-okta-docs]: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard.htm +[img-transfer-metadata-manually]: ../../../../images/admin-guides/configuration-guides/sso/okta/transfer-metadata-manually.png +[img-sp-wizard-finish]: ../../../../images/admin-guides/configuration-guides/sso/okta/sp-wizard-finish.png +[img-sp-metadata]: ../../../../images/admin-guides/configuration-guides/sso/okta/sp-metadata.png +[img-assignments]: ../../../../images/admin-guides/configuration-guides/sso/okta/assignments.png + +This guide covers the process of connecting the [Okta][link-okta] service as an identity provider to Wallarm, which acts as the service provider. + +To fulfill steps, you need accounts with administration rights both for Wallarm and Okta. + +## Step 1 (Wallarm): Activate SSO service + +By default, SSO service for authentication in Wallarm is not active, corresponding blocks are not visible in the **Integrations** section in Wallarm Console. + +To activate the SSO service, contact the [Wallarm support team](https://support.wallarm.com/). + +## Step 2 (Wallarm): Generate metadata + +You need Wallarm metadata to enter on the Okta side: + +1. In Wallarm Console, go to **Integrations** → **SSO SAML AUTHENTICATION** and initiate the **Okta SSO** configuration. + + ![Integrations - SSO](../../../../images/admin-guides/configuration-guides/sso/sso-integration-add.png) + +1. In the SSO configuration wizard, at the **Send details** step, overview the Wallarm metadata, that should be passed to the Okta service. + + ![Wallarm's metadata][img-sp-metadata] + + * **Wallarm Entity ID** is a unique application identifier generated by the Wallarm application for the identity provider. + * **Assertion Consumer Service URL (ACS URL)** is the address on the Wallarm side of the application on which identity provider sends requests with the SamlResponse parameter. + +1. Copy metadata or save them as XML. + +## Step 3 (Okta): Configure application + +To configure application in Okta: + +1. Log in to Okta as administrator. +1. Click **Administrator** → **Dashboard** → **Add Applications**. + + ![Okta dashboard][img-dashboard] + +1. Click **Create New App**. +1. Set: + + * **Platform** → “Web”. + * **Sign‑on method** → “SAML 2.0”. + +1. Proceed and in the **Create SAML Integration** wizard set general integration settings, such as **App Name** and optionally **App logo**. + + ![General settings][img-general] + +1. Proceed and enter the Wallarm's metadata. Required fields: + + * **Single sign‑on URL** = **Assertion Consumer Service URL (ACS URL)** in Wallarm. + * **Audience URI (SP Entity ID)** = **Wallarm Entity ID** in Wallarm. + + ![Configure SAML][img-saml] + +1. Optionally, set other parameters described in [Okta documentation][link-okta-docs]. + + ![SAML settings preview][img-saml-preview] + +1. Proceed and set **Are you a customer or partner** to "I'm an Okta customer adding an internal app". +1. Optionally, set other parameters. + + ![Feedback form][img-feedback] + +1. Click **Finish**. You will be redirected to the page of the created application. +1. To get Okta metadata, go to the **Sign On** tab, do one of the following: + + * Click **Identity Provider metadata** and save displayed data as XML. + * Click **View Setup instructions** and copy displayed data. + +1. Provide Okta users with access to the created application by going to **Administrator** → **Dashboard** → **Assign Applications** and assigning users to the application. + + ![Assigning users to the application][img-assignments] + +## Step 4 (Okta): Configure provisioning + +The **provisioning** is an automatic transfer of data from SAML SSO solution (Okta) to Wallarm: your Okta users and their group membership define access to Wallarm and permissions there; all user management is performed on Okta side. + +For this to work, provide the attribute mapping: + +1. In Okta application, map: + + * `email` + * `first_name` + * `last_name` + * user group(s) to `wallarm_role:[role]` where `role` is: + + * `admin` (**Administrator**) + * `analytic` (**Analyst**) + * `api_developer` (**API Developer**) + * `auditor` (**Read Only**) + * `partner_admin` (**Global Administrator**) + * `partner_analytic` (**Global Analyst**) + * `partner_auditor` (**Global Read Only**) + + See all role descriptions [here](../../../user-guides/settings/users.md#user-roles). + +1. Save the changes. + +## Step 5 (Wallarm): Enter Okta metadata + +1. In Wallarm Console, in the SSO configuration wizard, proceed to the **Upload metadata** step. +1. Do one of the following: + + * Upload Okta metadata as an XML file. + * Enter metadata manually as follows: + + * **Identity Provider Single Sign‑On URL** → **Identity provider SSO URL**. + * **Identity Provider Issuer** → **Identity provider issuer**. + * **X.509 Certificate** → **X.509 Certificate** field. + + ![Entering the metadata manually][img-transfer-metadata-manually] + +1. Complete SSO configuration wizard. Wallarm will test if data to/from your Okta can now be transferred. diff --git a/docs/latest/admin-en/configuration-guides/sso/troubleshooting.md b/docs/latest/admin-en/configuration-guides/sso/troubleshooting.md new file mode 100644 index 0000000000..524e5547e1 --- /dev/null +++ b/docs/latest/admin-en/configuration-guides/sso/troubleshooting.md @@ -0,0 +1,27 @@ +# SAML SSO Authentication Troubleshooting + +This article describes how to troubleshoot Wallarm's [SAML SSO Authentication](intro.md). + +### SSO and API authentication + +When SSO is enabled for the user, authentication for [requests to Wallarm API](../../../api/overview.md#your-own-api-client) becomes unavailable for this user. To get working API credentials, different options depending on the used SSO [options](intro.md#available-options): + +* When provisioning is on or off with the strict SSO option, you can enable API authentication for the SSO users with the **Administrator** role. To do this, select **Enable API access** from this user menu. The `SSO+API` auth method is enabled for the user which allows creating API tokens. + + Later you can disable API authentication for the user by selecting **Disable API access**. If this is done, all existing API tokens will be deleted and in a week - removed. + +* When provisioning is off and strict SSO is not used, create user without SSO option under your company account, and create [API token(s)](../../../api/overview.md#your-own-api-client). + +### Cannot sign in issues + +If the user cannot sign in via SSO, the error message is displayed with one of the error codes described in the table below. In most cases, the company account administrator can fix these errors: + +| Error code | Description | How to fix | +|--|--|--| +| `saml_auth_not_found + userid` | Provisioning is off and user does not have SSO enabled. | Enable SSO in Wallarm Console → **Settings** → **Users** → user menu → **Enable SSO**. | +| `saml_auth_not_found + clientid` | Client does not have an SSO integration in the **Integrations** section. | Follow the instructions in the [integration with the SAML SSO](intro.md) documentation. | +| `invalid_saml_response` or `no_mail_in_saml_response` | The SSO provider gave an unexpected response. It may be a sign of a misconfigured SSO integration. | Do one of the following:
| +| `user_not_found` | Wallarm did not find the user with the specified email. | Create a user with this email in Wallarm Console. | +| `client_not_found` | The company account was not found in Wallarm. | Create a user account with an appropriate email domain, which will create the company account immediately. | + + If necessary, administrator can contact the [Wallarm support team](mailto:support@wallarm.com) to get help in fixing any of these errors. diff --git a/docs/latest/user-guides/settings/users.md b/docs/latest/user-guides/settings/users.md index d04ae9ec85..3d8c67b18a 100644 --- a/docs/latest/user-guides/settings/users.md +++ b/docs/latest/user-guides/settings/users.md @@ -63,7 +63,7 @@ More detailed information about access of different user roles to the Wallarm en | **API tokens** | Manage personal and shared tokens | Manage personal tokens | - | - | | **Activity log** | View | - | View | - | -## Inviting a user +## Inviting users You can add a user to your account in two ways, both involving the creation and sharing of an invitation link. You can either have Wallarm automatically send the invitation link to the user's specified email or share the link directly with the user. @@ -87,6 +87,16 @@ This link leads them to the Wallarm signup page to create their account by choos After signup, they will be added to your user list and will receive a confirmation email. +## Automatic creation with SSO + +You can manage Wallarm Console users and their permissions directly from your SAML SSO solution. In this case, in your SAML SSO solution, you have groups mapped to Wallarm roles - when you create new users inside these groups, they are automatically created in Wallarm and get: + +* Corresponding Wallarm role. +* Immediate access to Wallarm Console under SSO credentials. +* Permissions specified by the role. + +For this to work, you need to configure integration between Wallarm and your SAML SSO solution with **provisioning** option enabled as described [here](../../admin-en/configuration-guides/sso/setup.md#step-4-saml-sso-solution-configure-provisioning). + ## Changing user settings Once a user appears in the user list, you can edit their settings using the **Edit user settings** option from the corresponding user menu. This allows you to change their assigned user role, first name, and last name. diff --git a/images/admin-guides/configuration-guides/sso/disable-sso-provider.png b/images/admin-guides/configuration-guides/sso/disable-sso-provider.png index f19a62db8b..65fe5be936 100644 Binary files a/images/admin-guides/configuration-guides/sso/disable-sso-provider.png and b/images/admin-guides/configuration-guides/sso/disable-sso-provider.png differ diff --git a/images/admin-guides/configuration-guides/sso/gsuite/gsuite-add-app.png b/images/admin-guides/configuration-guides/sso/gsuite/gsuite-add-app.png index dc16686d5f..fcb19f8088 100644 Binary files a/images/admin-guides/configuration-guides/sso/gsuite/gsuite-add-app.png and b/images/admin-guides/configuration-guides/sso/gsuite/gsuite-add-app.png differ diff --git a/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fetch-metadata.png b/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fetch-metadata.png index 3815ee3f72..1874e59bfc 100644 Binary files a/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fetch-metadata.png and b/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fetch-metadata.png differ diff --git a/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fill-in-sp-data.png b/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fill-in-sp-data.png index db92885fc3..ab866e85a6 100644 Binary files a/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fill-in-sp-data.png and b/images/admin-guides/configuration-guides/sso/gsuite/gsuite-fill-in-sp-data.png differ diff --git a/images/admin-guides/configuration-guides/sso/gsuite/sp-metadata copy.png b/images/admin-guides/configuration-guides/sso/gsuite/sp-metadata copy.png new file mode 100644 index 0000000000..85648909ac Binary files /dev/null and b/images/admin-guides/configuration-guides/sso/gsuite/sp-metadata copy.png differ diff --git a/images/admin-guides/configuration-guides/sso/simple-sso-mapping.png b/images/admin-guides/configuration-guides/sso/simple-sso-mapping.png new file mode 100644 index 0000000000..5485853065 Binary files /dev/null and b/images/admin-guides/configuration-guides/sso/simple-sso-mapping.png differ diff --git a/images/admin-guides/configuration-guides/sso/sso-integration-add.png b/images/admin-guides/configuration-guides/sso/sso-integration-add.png new file mode 100644 index 0000000000..076b176345 Binary files /dev/null and b/images/admin-guides/configuration-guides/sso/sso-integration-add.png differ diff --git a/images/admin-guides/configuration-guides/sso/sso-mapping-in-wallarm.png b/images/admin-guides/configuration-guides/sso/sso-mapping-in-wallarm.png new file mode 100644 index 0000000000..04b21be429 Binary files /dev/null and b/images/admin-guides/configuration-guides/sso/sso-mapping-in-wallarm.png differ diff --git a/mkdocs-5.0.yml b/mkdocs-5.0.yml index 329c4e8540..25ce21359c 100644 --- a/mkdocs-5.0.yml +++ b/mkdocs-5.0.yml @@ -284,23 +284,12 @@ nav: - Overview: user-guides/settings/users.md - User Profile: user-guides/settings/account.md - API Tokens: user-guides/settings/api-tokens.md - - Using Single Sign‑On (SSO): - - Overview of integration with the SAML SSO solution: admin-en/configuration-guides/sso/intro.md - - Connecting SSO with G Suite: - - Overview of Steps for Connecting SSO with G Suite: admin-en/configuration-guides/sso/gsuite/overview.md - - "Step 1: Generating Parameters on the Wallarm Side (G Suite)": admin-en/configuration-guides/sso/gsuite/setup-sp.md - - "Step 2: Creating and Configuring an Application in G Suite": admin-en/configuration-guides/sso/gsuite/setup-idp.md - - "Step 3: Transferring G Suite Metadata to the Wallarm Setup Wizard": admin-en/configuration-guides/sso/gsuite/metadata-transfer.md - - "Step 4: Allowing Access to the Wallarm Application on the G Suite Side": admin-en/configuration-guides/sso/gsuite/allow-access-to-wl.md - - Connecting SSO with Okta: - - Overview of Steps for Connecting SSO with Okta: admin-en/configuration-guides/sso/okta/overview.md - - "Step 1: Generating Parameters on the Wallarm Side (Okta)": admin-en/configuration-guides/sso/okta/setup-sp.md - - "Step 2: Creating and Configuring an Application in Okta": admin-en/configuration-guides/sso/okta/setup-idp.md - - "Step 3: Transferring Okta Metadata to the Wallarm Setup Wizard": admin-en/configuration-guides/sso/okta/metadata-transfer.md - - "Step 4: Allowing Access to the Wallarm Application on the Okta Side": admin-en/configuration-guides/sso/okta/allow-access-to-wl.md - - Configuring SSO Authentication for Users: admin-en/configuration-guides/sso/employ-user-auth.md - - Changing the Configured SSO Authentication: admin-en/configuration-guides/sso/change-sso-provider.md - - Using single sign‑on to Wallarm account: user-guides/use-sso.md + - Using SSO: + - Overview: admin-en/configuration-guides/sso/intro.md + - Setup: admin-en/configuration-guides/sso/setup.md + - G Suite Example: admin-en/configuration-guides/sso/sso-gsuite.md + - Okta Example: admin-en/configuration-guides/sso/sso-okta.md + - Troubleshooting: admin-en/configuration-guides/sso/troubleshooting.md - Using LDAP: admin-en/configuration-guides/ldap/ldap.md - Activity Log: user-guides/settings/audit-log.md - Operations: diff --git a/netlify.toml b/netlify.toml index a6d7ff05dd..1faeb65198 100644 --- a/netlify.toml +++ b/netlify.toml @@ -3,16 +3,7 @@ publish = "site" command = """ pip3 install --no-cache-dir -r requirements.txt && npm install pngquant && -INSIDERS=true mkdocs build -f mkdocs-5.0.yml && -INSIDERS=true mkdocs build -f mkdocs-4.10.yml && -INSIDERS=true mkdocs build -f mkdocs-4.8.yml && -INSIDERS=true mkdocs build -f mkdocs-deprecated.yml && -INSIDERS=true mkdocs build -f mkdocs-3.6.yml && -INSIDERS=true mkdocs build -f mkdocs-2.18.yml && -INSIDERS=true mkdocs build -f mkdocs-ja-4.8.yml && -INSIDERS=true mkdocs build -f mkdocs-tr-4.8.yml && -INSIDERS=true mkdocs build -f mkdocs-pt-BR-4.8.yml && -INSIDERS=true mkdocs build -f mkdocs-ar-4.10.yml +INSIDERS=true mkdocs build -f mkdocs-5.0.yml """ [[headers]] for = "/*"