Configure a SAML 2.0 Identity Provider in StackRox

Configure StackRox to use your SAML 2.0 Identity Provider.

1 minute read

This guide documents how to integrate a SAML 2.0 Identity Provider with the StackRox Kubernetes Security Platform.

Prerequisites

To complete these steps:

  • you must have already configured an application in your Identity Provider, such as Okta.
  • you must have appropriate permissions to configure identity providers in the StackRox Kubernetes Security Platform.

Configure StackRox

To configure the SAML 2.0 integration:

  1. On the StackRox portal, navigate to Platform Configuration > Access Control.
  2. pen the Auth Provider menu, select Add auth provider and select SAML 2.0.
  3. Fill out the details for:
    • Integration Name: A user-friendly name to identify this authentication provider. For example, “Okta” or “G Suite.” The integration name is shown on the login page to help users select the right sign-in option.
    • ServiceProvider Issuer: The value you are using as the Audience URI (SP Entity ID) in Okta, or a similar value in other providers.
    • IdP Metadata URL: Use the URL of “Identity Provider metadata” available from the Identity Provider console. If you don’t wish to use the IdP Metadata URL, you may instead copy the required static fields from the “View Setup Instructions” link in the Okta console, or a similar location for other providers.
  4. Choose a Minimum access role for users accessing StackRox using this Identity Provider. Leave the Minimum access role set to Admin while you complete setup. Later, you can return to the Access Control page to set up more tailored access rules based on user metadata from the Identity Provider.
  5. Select Save.
  6. Complete a test login to make sure your integration is working.

If your SAML identity provider’s authentication response:

  • includes a NotValidAfter assertion, the user session remains valid until the time specified in the NotValidAfter field has elapsed. After its expiry, users must re-authenticate.
  • doesn’t include a NotValidAfter assertion, the user session remains valid for 30 days, after which, the users must re-authenticate.

Verify configuration

For version 3.0.44 and newer

Before you verify the configuration of your Identity Provider integration:

  1. Verify that you are on the Access Control view and you’ve selected the Auth Provider Rules tab.
  2. Under the Auth Providers section, make sure that you’ve selected the authentication provider for which you want to verify the configuration.

To verify your Identity Provider integration:

  1. Select Test Login from the Auth Provider section header. The Test Login page opens in a new browser tab.
  2. Sign in with your credentials.
    • On success, the StackRox Kubernetes Security Platform shows the User ID and User Attributes the Identity Provider sent for the credentials you’ve used to log in.
    • On failure, the StackRox Kubernetes Security Platform shows a message describing why the Identity Provider’s response couldn’t be processed.
  3. Close the Test Login browser tab. If your new provider doesn’t function correctly, check and update your configuration.

Once you log in using your Identity Provider, your configuration is complete.

You can reconfigure role-based access control permissions for each Identity Provider by navigating to Platform Configuration > Access Control.

For version 3.0.43 and older

To verify the configuration of your Identity Provider integration, select Log Out from the top right corner, then choose your new provider from the menu and sign in.

If your new provider doesn’t function correctly, log in using the administrator password or another Identity Provider.

Once you log in using your Identity Provider, your configuration is complete.

You can reconfigure role-based access control permissions for each Identity Provider by navigating to Platform Configuration > Access Control.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.