Single Sign-On

Single Sign-On (SSOClosed Single Sign-On (SSO) - A session/user authentication process that permits a user to enter one name and password in order to access multiple applications.) provides a means for enterprises to centrally manage and control users authentication and authorization.

Using SSO, organizations reduce the administrative overhead of managing multiple authentication tokens for each user. A user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords.

CloudGuard supports Single Sign-On based on SAML 2.0.

When SSO is enabled for a CloudGuard account, each account user can be configured to use SSO authentication (default), or a built-in user authentication.

Important - The SAML response generated by the Identity Provider (IdP) must be utilized within 24 hours before it expires. Each SAML response is valid for a single use only.

Users with SSO

Users configured to use SSO:

  • Have the password managed by the SSO identity provider, so a password reset in CloudGuard direct the users to reset the password on the IdP (SSO Provider)

  • Have MFA enabled and managed with the SSO solution provider, so MFA is disabled for these users in CloudGuard portal

Best Practice - Make sure to delete unnecessary SSO users when they are deactivated or no longer need access to CloudGuard (see Deleting users for more information).

A CloudGuard Account Owner cannot be configured for SSO. This restriction is a fail-safe in order to allow at least one user to be able to log in to the CloudGuard system if something goes wrong with the SSO identity provider.

Single Sign-On using Just-In-Time (JIT) Provisioning

With JIT provisioning, there is no need to create users for logging in. The Identity Provider provisions (creates or updates) them when the user attempts to access the service.

The provider allocates permissions based on the groups to which the user belongs. Roles, with specific permissions, must be defined and associated with the groups.

The provider generates temporary tokens for the user to access the service, so no actual user is created.

To enable JIT:

  1. Configure SSO as usual according to the instructions for your IdP.

  2. In SAML configuration, enter a meaningful attribute name, for example, JIT-for-CloudGuard.

  3. In CloudGuard, navigate to Settings > Security & Authentication and configure SSO.

  4. Select Allow for the Just-in-time provisioning for the account option.

  5. In Attribute name in SAML for just-in-time role, add the name that you entered, JIT-for-CloudGuard (by default, memberOf).

Configure SSO

Before you use SSO, make sure your configuration meets these prerequisites:

  • The organization has a SAML 2.0 SSO infrastructure in place

  • Users are provisioned in the identity provider's SSO application

  • A CloudGuard user with the same user identity email is provisioned in CloudGuard (when not using JIT)

  • The CloudGuard user is assigned permissions in CloudGuard

SSO End User Login

An end user configured for SSO can log in to CloudGuard in two ways:

  • Access the CloudGuard portal with the URL https://secure.dome9.com/sso/yourcompanyname, which redirects the user to log in with the SSO solution provider login page and, once successfully authenticated there, redirects the user back to the CloudGuard portal (Service-Provider-initiated)

  • Log in through the SSO provider login page (IdP-initiated) and from there select the CloudGuard application

To log in with the SP-initiated flow:

  1. Navigate to https://secure.dome9.com/sso/yourcompanyname, where your company name is the Account ID identifier configured in the SSO settings page.

  2. You are redirected to the SSO provider's login page.

  3. Log in to the SSO provider's site.

  4. You are redirected back to the CloudGuard portal, with an authenticated session with the CloudGuard user corresponding to the user on the SSO site (with the same user email).

To log in with the IdP-initiated flow:

  1. Navigate to the login page for the SSO provider and log in there with the SSO user name.

  2. Select CloudGuard as the destination site.

  3. You are redirected to the CloudGuard portal, with an authenticated session with the CloudGuard user corresponding to the user on the SSO site (with the same user email).

Actions

You can disable SSO for a CloudGuard account. If this is done, SSO is disabled for all users in the account, and a password reset invitation is issued to all SSO users.

  1. Navigate to the Security & Authentication page in the Settings > Configuration menu.

  2. Click Disabled.

  1. Log in to the CloudGuard portal with a super user account.

  2. Navigate to the Users page in the Settings > Users & Roles menu.

  3. Click Add User.

  4. Enter details for the user. Note that SSO is enabled by default on accounts that have SSO enabled.

  5. Click CREATE.

  1. Log in to the CloudGuard portal with a super user account.

  2. Navigate to the Users page in the Settings > Users & Roles menu.

    To disconnect a user from SSO:

  3. Select the user that you want to disconnect from SSO and click Disconnect from SSO on the menu bar.

    When SSO is disabled, an email is sent to the user to reset the password.

    To connect a user to SSO:

  4. Select the user that you want to connect to SSO and click Connect to SSO on the menu bar.

    When SSO is enabled, an email is sent to the user to indicate they must use SSO and to specify their SSO provider to log in to CloudGuard.

SSO Configuration Troubleshooting

Most of the SSO issues are caused by wrong configuration. To troubleshoot the issues, navigate to Events > Operational > System Audit Logs page in CloudGuard.

If the System Audit log contains an SSO Login failed record, it means that there are specific configuration errors.

If there is no SSO Login records, it means that the SAML request is not configured to target a valid environment of the IdP.

The description alerts on the cause of the failure.

If you see one of the two CloudGuard audit log messages above, verify these:

  • Ensure the Token-signing certificate is SHA256.

  • Ensure the Token-signing certificate public key is entered in the CloudGuard SSO configuration in Base-64 encoded X.509 format.

  • Ensure your Issuer field is correct.
    If the Issuer URI field is incorrect, your browser does not forward to your IdP login page, but instead forwards you to the standard CloudGuard login page. To solve this, adjust the Issuer field on the CloudGuard SSO configuration.

  • With the second audit log entry on invalid response token, verify that the certificate is valid, not encrypted and not expired.

This record mentions that the user that tried to log in using SSO does not exist on CloudGuard system. Verify that the user name is correct.

This situation indicates that Relying Party Trust is not created correctly or the associated claim rules are not configured correctly in the Claims Issuance Policy. This could also indicate that the metadata file contains a wrong Account Identifier.