Getting started with SAML single sign-on

When you configure Deep Security to use SAML single sign-on, users signing in to your organization's portal can seamlessly sign in to Deep Security without an existing Deep Security account. SAML single sign-on also makes it possible to implement user authentication access control features such as

• Password strength or change enforcement.
• One-Time Password (OTP).
• Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

For a more detailed explanation of Deep Security's implementation of the SAML standard, see How SAML single sign-on works.

At this time, Deep Security supports only the HTTP POST binding of the SAML 2.0 identity provider (IdP)-initiated loginflow, and not the service provider (SP)-initiated login flow

Configure SAML in Deep Security

If you are using Deep Security AMI from AWS Marketplace or Deep Security on-premise, you will first need to Configure Deep Security as a SAML service provider.

To use SAML single sign-on with Deep Security, you will need to do the following:

1. Coordinate with the identity provider administrator.
2. Import your identity provider's SAML meta-data document.
3. Create Deep Security roles for SAML users.
4. Download the Deep Security Manager service provider SAML meta-data document.
5. Send URNs and the Deep Security SAML meta-data document to the identity provider administrator.

Coordinate with the identity provider administrator

To get started, contact the identity provider administrator to:

• Establish a naming convention for mapping directory server groups to Deep Security roles.
  
• Obtain their identity provider SAML meta-data document.
• Ask them to add any required user authentication access control features to their policy.

Import your identity provider's SAML meta-data document

Your Deep Security account must have both administrator and "Create SAML identity provider" permissions.

1. On the Administration page, go to User Management > Identity Providers > SAML.
2. Click Get Started.
3. Click Choose File, select the SAML metadata document provided by your identity provider, and click Next.

4. Enter a Name for the identity provider, and then click Finish.

   You will be brought to the Roles page.
   

Create Deep Security roles for SAML users

You need to create a role for each of your expected user types. Each role must have a corresponding group in your identity provider's directory server, and match the group's access permissions and tenant assignment.

For information on how to create roles, see Roles.

Download the Deep Security Manager service provider SAML meta-data document

1. On the Administration page, go to User Management > Identity Providers > SAML.
2. Under SAML Service Provider, click Download.
   Your browser will download the Deep Security service provider SAML meta-data document (ServiceProviderMetadata.xml).

Send URNs and the Deep Security SAML meta-data document to the identity provider administrator

You need to give the identity provider administrator Deep Security's service provider SAML meta-data document, the identity provider URN and the URN of each Deep Security role you created.

Once the identity provider administrator confirms they have created groups corresponding to the Deep Security roles and a claim for transforming them, you are done with configuring SAML single sign-on.

If necessary, you can inform the identity provider administrator about the SAML claims structure required by Deep Security.

Service and identity provider settings

You can set how far in advance Deep Security will alert you to the expiry date of the server and identity provider certificates, as well as how much time must pass before inactive user accounts added through SAML single sign-on are automatically deleted.

To change these settings, go to Administration > System Settings > Security > Identity Providers.

Identity providers used for testing

SAML single sign-on has been tested in Deep Security with the following identity providers:

• Active Directory Federation Services (ADFS)
• Okta
• PingOne
• Shibboleth