Getting started with SAML single sign-on

When you configure Deep Security to use SAML single sign-on, users signing in to your organization's portal can seamlessly sign in to Deep Security without an existing Deep Security account. SAML single sign-on also makes it possible to implement user authentication access control features such as

  • Password strength or change enforcement.
  • One-Time Password (OTP).
  • Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

For a more detailed explanation of Deep Security's implementation of the SAML standard, see How SAML single sign-on works.

Configure SAML in Deep Security

To use SAML single sign-on with Deep Security, you will need to do the following:

  1. Coordinate with the identity provider administrator.
  2. Import your identity provider's SAML metadata document.
  3. Create Deep Security roles for SAML users.
  4. Download the Deep Security Manager service provider SAML metadata document.
  5. Send URNs and the Deep Security SAML metadata document to the identity provider administrator.

Coordinate with the identity provider administrator

To get started, contact the identity provider administrator to:

  • Establish a naming convention for mapping directory server groups to Deep Security roles.
  • Obtain their identity provider SAML metadata document.
  • Ask them to add any required user authentication access control features to their policy.

Import your identity provider's SAML metadata document

Your Deep Security account must have both administrator and "Create SAML identity provider" permissions.

  1. On the Administration page, go to User Management > Identity Providers > SAML.
  2. Click Start.
  3. Click Import, open your identity provider's SAML metadata document, and then click Next.
  4. Enter a Name for the identity provider, and then click Finish.

    You will be brought to the Roles page.

Create Deep Security roles for SAML users

You need to create a role for each of your expected user types. Each role must have a corresponding group in your identity provider's directory server, and match the group's access permissions and tenant assignment.

For information on how to create roles, see Roles.

Download the Deep Security Manager service provider SAML metadata document

  1. On the Administration page, go to User Management > Identity Providers > SAML.
  2. Under SAML Service Provider, click Download.
    Your browser will download the Deep Security service provider SAML metadata document (ServiceProviderMetadata.xml).

Send URNs and the Deep Security SAML metadata document to the identity provider administrator

You need to give the identity provider administrator Deep Security's service provider SAML metadata document, the identity provider URN and the URN of each Deep Security role you created.

To view role URNs, go to Administration > User Management > Roles and look under the URN column.

To view identity provider URNs, go to Administration > User Management > Identity Providers > SAML > Identity Providers and look under the URN column.

Once the identity provider administrator confirms they have created groups corresponding to the Deep Security roles and a claim for transforming them, you are done with configuring SAML single sign-on.

If necessary, you can inform the identity provider administrator about the SAML claims structure required by Deep Security.

Service and identity provider settings

You can set how far in advance Deep Security will alert you to the expiry date of the server and identity provider certificates, as well as how much time must pass before inactive user accounts added through SAML single sign-on are automatically deleted.

To change these settings, go to Administration > System Settings > Security > Identity Providers.

Identity providers used for testing

SAML single sign-on has been tested in Deep Security with the following identity providers:

  • Active Directory Federation Services (ADFS)
  • Okta
  • PingOne
  • Shibboleth