Understanding Single Sign-On in Panaseer

  • Updated

What is SSO?

Single Sign-On (SSO) is an authentication method that allows a user to sign in using one set of credentials to multiple independent software systems. Using SSO means a user doesn't have to sign in to every application they use and enables customers to manage their login security policies through their Identity Provider.

Panaseer's SSO capability works by creating a trusted connection between an Identity Provider (IdP) and Panaseer using authentication protocols such as OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).

These protocols provide a way to securely share information about the user, such as their full name, email, and roles and permissions, which Panaseer then uses to create and manage a user entity within the application.

High-level authentication process

High-level Panaseer authentication process

Supported authentication protocols

An authentication protocol is a standardized set of rules and procedures that enable secure information exchange between systems to verify user identities. It defines how authentication data should be formatted, encrypted, and transmitted between the identity provider and the application.

Panaseer supports OIDC and SAML authentication protocols and most IdPs, such as AWS and Okta, support both of these protocols. Choosing the right protocol depends on a customer’s specific requirements and security policies that are in place within their organization.

OIDC

OIDC is a modern authentication protocol that uses OAuth 2.0. It allows you to log into applications using existing accounts from trusted identity providers like Google, Microsoft, or Facebook. OIDC is popular for its simplicity, flexibility, and compatibility with today’s cloud-native and mobile-first environments.

Login flow

Panaseer initiates the Authorization Code Flow when a user attempts to login to Panaseer. This involves Panaseer exchanging an authorization code for an ID token which contains information about the user logging in, such as their username, email address, first and last name, and group entitlements.

OIDC login flow

OIDC login flow

An OIDC implementation in Panaseer requires the following information to set up correctly.

Provided by Information needed Example
Customer OIDC Discovery URI https://login.microsoftonline.com/{application-uuid}/v2.0/.well-known/openid-configuration
Customer Client ID and Secret
  • Client ID: xxxx
  • Secret: yyyy
Customer Information returned in the OIDC claims

By default, Panaseer requests these claims: openid profile email

Panaseer requires the following user information:

  • Username
  • Email
  • First Name
  • Last Name
  • Group assignments

Refer to the OIDC specification documentation for more details on claims.

Panaseer Callback URL

https://cxx.panaseer.com/psdl/auth/callback

NOTE: cxx is your Panaseer environment name.

SAML

SAML is an older, enterprise-grade authentication protocol that enables SSO between identity providers and service providers, typically using XML-based messages. SAML is more complex and heavier than OIDC, but it has a proven record of security and reliability for large organizations with established identity infrastructures.

Login flow

The diagram below is taken from Microsoft’s SAML documentation and outlines the authentication flow with a Customer Identity Provider and Panaseer when SAML authentication is configured.

SAML login flow

SAML login flow

A SAML implementation in Panaseer requires the following information to set up correctly.

Provided by Information needed Example
Customer Identity Provider Entity ID

https://sts.windows.net/{application-uuid}/

This must match the EntityID in the Metadata file below.

Customer Metadata URL or XML file https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={application-uuid}
Customer Information returned in the SAML claims

This is configured on the customer's Identity Provider.

Panaseer requires the following user information:

  • Username
  • Email
  • First Name
  • Last Name
  • Group assignments
Panaseer Service Provider Entity ID https://cxx.panaseer.com/saml/sp
Panaseer Reply/callback URL https://cxx.panaseer.com/psdl/auth/callback/SamlSSO
Panaseer Logout URL

https://cxx.panaseer.com/psdl/auth/sso-logout-callback

NOTE: cxx is your Panaseer environment name.

Configuring SSO

Panaseer integrates with several popular Identity Providers (IdPs) to allow you flexibility in choosing the best solution for your environment. The following are the most common IdPs we support:

  • Entra ID (formerly Azure AD): Entra ID supports both OIDC and SAML protocols and is particularly suited for Microsoft-centric organizations.
    Refer to Panaseer SSO with Microsoft Entra ID and SAML for more information.
  • Okta: Okta supports both OIDC and SAML and is widely adopted across various industries due to its flexibility and extensive application integrations.
  • Duo Security: Primarily SAML-focused, often used for environments with high-security needs.
  • PingOne/PingFederate: Flexible with both OIDC and SAML support, suited for complex, distributed environments.

When should I configure SSO?

Configuring SSO early is recommended to streamline user management and enforce security policies from the start. Here are some specific scenarios when setting up SSO should be prioritized:

  • Pre-Launch Setup: Before onboarding users onto Panaseer, configuring SSO allows seamless user access with existing IdP credentials. This helps minimize login issues and reduce administrative overhead.
  • Compliance Requirements: If your organization needs to adhere to specific security or privacy policies enabling SSO, along with MFA, ensures these policies are enforced and allows for centralized control over authentication and access in your IdP.
  • Onboarding Large User Groups: If many users are about to be onboarded, configuring SSO early will simplify the process, allowing for automatic provisioning and group-based permissions from the IdP.
  • Implementing Multi-Factor Authentication (MFA): If your organization mandates MFA, setting up SSO allows you to enforce MFA policies across the board without needing to configure it separately within Panaseer.

Who configures SSO?

A typical SSO setup involves collaboration between Panaseer’s implementation team and your organization's IT or identity management team. Here’s an outline of roles and responsibilities:

  • Panaseer’s Project Manager/Implementation Engineer (IE):
    • Provide Panaseer-specific information for the setup, such as callback URLs, Service Provider Entity ID, and application-level permissions.
    • Coordinate the configuration process with the customer’s IT team and ensures smooth integration.
    • Assist with technical questions related to Panaseer’s configuration settings and verify correct setup post-configuration.
  • Customer’s IT/Admin Team:
    • Configure the Identity Provider (IdP) with Panaseer’s details, including adding any required claim mappings.
    • Provide Client IDs, Entity IDs, metadata files, or certificates to Panaseer for SSO integration.
    • Set up group claims and roles within the IdP to ensure users are assigned the appropriate access levels in Panaseer.
    • Conduct internal testing to confirm the SSO configuration is working as expected.

General configuration

This section provides a general overview of the SSO configuration process applicable to most IdPs:

  • Provisioning Group Claims: Set up group claims in the IdP to ensure users are assigned the correct roles and access levels within Panaseer. These claims dictate the data and features users can access based on their group membership.
  • Redirect and Callback URLs: Ensure that the IdP’s redirect URI matches the one provided by Panaseer. A mismatch here is a common cause of configuration issues. Panaseer’s implementation team provide the correct URLs to configure in the IdP.
  • Certificate Management: For SAML-based configurations, ensure the IdP’s signing certificate is current and correctly uploaded into Panaseer. This certificate is essential for verifying SAML assertions and preventing unauthorized access.
  • Testing and Verification: After setting up the connection, perform login tests with various user roles. Check that the claims returned by the IdP match Panaseer’s requirements and verify that users can access the appropriate data based on their roles.
  • Debugging: Use logs provided by the IdP and Panaseer to identify and troubleshoot any issues that arise during setup. The Panaseer team can assist by reviewing logs to verify successful authentication and authorization flow.

FAQs

Question Answer
A user already has a username/password. SSO has been enabled, can they login to Panaseer via SSO? Yes. Given a user has permission on the customer’s Identity Provider to access Panaseer, they can login via SSO.
Can a user login with a username/password after logging in via SSO? No. Once a user has logged in via SSO they can not login again using their username and password.
What happens when a user leaves my organization, are they removed from Panaseer?

A user that has left an organization can no longer login to Panaseer if they are removed from a customer’s Identity Provider.

Their account remains in Panaseer because Panaseer does not have permission to read a customer’s Identity Provider’s directory of users to determine whether users exist or not.

How do I remove a user from Panaseer?

Either by removing them from the UI or through a support request ticket if the user is an owner of Panaseer resources, such as a dashboards or Remediation Objectives.

Can I enable MFA for users logging in via SSO?

Users logging in via SSO have their MFA policy defined through their Identity Provider, such as Entra ID. Panaseer does not manage or require MFA devices when users login via SSO.

How does assignment to groups work in Panaseer?

When a user logs in, the Identity Provider is setup to return an OIDC or SAML claim with the group names they should be assigned to in Panaseer. Panaseer sets a user's group assignments with those in the claim and removes any groups no longer required.

When does the re-assignment of groups take place?

Every time a user logs into Panaseer.

Do we create groups that do not exist in Panaseer if they are in a user’s claim?

No. The reason for not creating groups is some Identity Providers supply 100+ groups in the claim that is returned, which would result in these groups being created in Panaseer. The groups need to exist in Panaseer for a user to be assigned to them when they login.

Please contact your CSM for more information on SSO in Panaseer.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.