Managing SSO connectors | SecurityHub

  • Updated

Product: SecurityHub
Applies to: Customer SecurityHub administrators
 

You can add, configure, edit and delete SSO connectors. You can also view log files.

Note: This option is only available if you have a valid domain associated with your organization. If you do not have a valid domain associated with your organization, you can request a domain be added. For more information, see Managing domains.

Your contract determines which features are available and which roles can access them. Note that compliance admins only have view rights to the available features.

Icons_Warning.svg Prerequisites

If your company is using Information Rights Management (IRM) for protecting Microsoft Office documents, ensure that the correct registry keys are configured. If they are not, users may not be able to access IRM-protected documents. For more information, see Microsoft Office files prompt for user name and password.

Video - SSO connector configuration 

Icons_Approved.svg How to create and test an SSO connector

When you add a connector, as part of the configuration, you can specify test users. The connector will initially be created in the testing mode, meaning that only the test users can log in using the connector. This allows you to ensure that the connector is working properly before making it available to all users in the configured domains.

Connectors can have one of the following statuses.

  • Setup - The connector has one or more domains associated with it that can be tested using the test users. The connector is not live.
  • Active - The connector is live and in use.
  • Inactive - The connector does not have any domains associated with it.

Add a SAML connector (recommended)

When you add a connector it is created in testing mode. As part of the configuration, you can specify test users. In this mode, only the test users can log in using the connector. This allows you to ensure that the connector is working properly before making it available to all users in the configured domains.

  1. Click Login Security.
  2. In the left panel, click SSO Connectors.
  3. Click SAML (Recommended).
  4. Click Add.
  5. In the Name field, enter a name for the connector.
  6. In the Entry Point URL field, enter the URL that will be used when a user logs in to redirect them to SSO.
  7. In the Certificate field, enter the certificate that will be used to validate the SAML response that lets Intralinks know who the user is and what products they have access to.
  8. Configure the connector. You can upload an IDP XML metadata file or manually enter the connector information.
    • To upload a file, click Upload File, select the file, and click Open. The Entry Point URL and Certificate fields are automatically populated. To configure additional settings, expand Advanced Settings and select your options. Click Next.
    • To manually configure the connector, enter the name, entry point URL and certificate fields. To configure additional settings, expand Advanced Settings and select your options. Click Next.
  9. Configure domain associations.
    • In the Domain(s) field, select the domains that are part of your organization that you want to include or click Select all domains to add them all.
    • In the Test Users field, enter the users that you want to use to test the connection before making the connections active. Test users must be part of the domain. You can add a maximum of 15 test users. Test users are automatically removed when the connector is made active.
    • Click Next.
  10. On the Review screen, review the connector configuration.
  11. Click Create. The Test URLs screen is displayed.
  12. (Optional.) To test the connector, in the Intralinks Application field, select the application that you want to test, copy the URL into your browser, and log in using the test user's credentials.

Add an OIDC connector

OIDC connectors are only compatible with Okta or Azure AD.

  1. Click Login Security.
  2. In the left panel, click SSO Connectors.
  3. Click OIDC.
  4. Click Add.
  5. In the Name field, enter a name for the connector.
  6. Configure the connector. You can upload an IDP JSON metadata file or manually enter the connector information.
    • To upload a file, click Upload File, select the file, and click Open. Enter any additional information and click Next.
    • To manually configure the connector, enter the connector information. Required fields are indicated by an asterisk. Click Next.
  7. Configure domain associations.
    • In the Domain(s) field, select the domains that are part of your organization that you want to include or click Select all domains to add them all.
    • In the Test Users field, enter the users that you want to use to test the connection before making the connections active. Test users must be part of the domain. You can add a maximum of 15 test users. Test users are automatically removed when the connector is made active.
    • Click Next.
  8. On the Review screen, review the connector configuration.
  9. Click Create. The Test URLs screen is displayed.
  10. (Optional.) To test the connector, in the Intralinks Application field, select the application that you want to test, copy the URL into your browser, and log in using the test user's credentials.

Test a connector

Connectors with a status of Setup can be tested. When a connector is changed to Active, the test users are removed.

  1. Click Login Security.
  2. In the left pane, click SSO Connectors .
  3. Click SAML (Recommended) or OIDC.
  4. In the Actions column, in the row of the connector, click the edit icon.
  5. Important! Do not skip the following steps. The test URL brings you to the environment you are configuring so that you can confirm that the configuration is correct. If you skip the following steps and immediately make the connection active, you could potentially go live with an incorrect configuration.
    • In the Intralinks Application field, select the application that you want to test.
    • Copy the URL into your browser, and log in using the test user credentials.

Icons_Approved.svg How to edit a connector's configuration

Edit domain associations

For an active connector, you cannot remove the domain that is already associated with the connector; however, you can add additional domains.

  1. Click Login Security.
  2. In the left pane, click SSO Connectors.
  3. Click SAML (Recommended) or OIDC.
  4. In the Actions column of the connector, click the edit icon.
  5. In the Find domain field enter the domain, or click Select all domains to display all domains and then remove the domains you do not want associated with the connector.
  6. If a selected domain is already associated with another connector, a message is displayed and you have the option to assign the domain to the current connector. To reassign the domain, click Reassign these domains to the <connector name>. Note that SSO is not affected.
  7. Click Save. Inactive connector can be moved to an active connector. One active connector and one setup connector. 

Edit a connector's configuration

  1. Click Login Security.
  2. In the left pane, click SSO Connectors.
  3. Click SAML (Recommended) or OIDC.
  4. In the Actions column of the connector, click the edit icon.
  5. Make any changes and click Save.

Configure IdP assertions for Identity+ dynamic linking

Depending on your contract, this option may not be available. Changing this configuration can impact users using Identity+. For instructions on managing identity groups, see Adding and removing identity groups for Identity+.

  1. Click Login Security.
  2. In the left pane, click SSO Connectors.
  3. Click SAML (Recommended) or OIDC.
  4. In the Actions column of the connector, click the edit icon.
  5. In the Email Mapping field, enter the field in your IdP's response that contains the logged in user's email address. If the assertion name is something other than NameID, enter that name.
  6. In the Field Type field, provide a unique IdP field to map Intralinks groups. The response from your IdP must include the group email addresses.
  7. In the Identity+ Groups Mapping field, enter enter the field name included in your IdP's SAML response. The field is based on the field type you selected.
  8. Click Save.

Edit certificates

You can configure both the current certificate and the future certificate. When the current certificate expires, the future certificate is automatically enabled. If no future certificate is configured, all users are locked out when the current certificate expires.

  1. Click Login Security.
  2. In the left pane, click SSO Connectors.
  3. Click SAML (Recommended) or OIDC.
  4. In the Actions column of the connector, click the edit icon.
  5. In the Future Secret section, enter the Certificate.
  6. Click Save.

Icons_Approved.svg How to make a connector active

  1. Click Login Security.
  2. In the left pane, click SSO Connectors .
  3. Click SAML (Recommended) or OIDC.
  4. In the Actions column, in the row of the connector, click the edit icon.
  5. In the State field, select Active.
  6. Click Save.

Icons_Approved.svg How to view SP metadata for SAML connectors

  1. Click Login Security.
  2. In the left pane, click SSO Connectors .
  3. Click SAML (Recommended).
  4. In the Actions column, in the row of the connector, click the edit icon.
  5. To view SP Metadata, click SP Metadata.

Icons_Approved.svg How to view log files

  1. Click Login Security.
  2. In the left pane, click SSO Connectors .
  3. Click SAML (Recommended) or OIDC.
  4. In the Actions column, in the row of the connector, click the edit icon.
  5. To view the logs of authenticated users, click Logs. Click on a user's ID to view a side panel that contains the user details. 

Icons_Approved.svg How to delete a connector

You can only delete inactive connectors. Active connectors cannot be deleted.

  1. Click Login Security.
  2. In the left pane, click SSO Connectors .
  3. Click SAML (Recommended) or OIDC.
  4. In the row of the connector you want to delete, click the trashcan icon.

 

Was this article helpful?