Configure SAML single sign-on with Google

You can configure your ExtraHop Command and Discover appliances to enable users to log into the appliance through the Google identity management service.

Before you begin

  • You should be familiar with administrating Google Admin.
  • You should be familiar with administrating ExtraHop appliances.

These procedures require you to copy and paste information between the ExtraHop Admin UI and the Google Admin UI, so it is helpful to have each UI open side-by-side.

Enable SAML on the ExtraHop appliance

  1. Log into the Admin UI on the Discover or Command appliance.
  2. In the Access Settings section, click Remote Authentication.
  3. From the Remote authentication method drop-down list, select SAML.
    Important:If you are migrating from an existing remote authentication provider (such as LDAP), contact your ExtraHop account team for assistance in transferring your existing appliance customizations.
  4. Click Continue.
  5. Click View SP Metadata.
  6. Copy the ACS URL and Entity ID to a text file. You will paste this information into the Google configuration in a later procedure.

Add user custom attributes

  1. Log into the Google Admin console.
  2. Click Users.
  3. Click the Manage custom attributes icon .
  4. Click Add Custom Attribute.
  5. In the Category field, type ExtraHop.
  6. Optional: Type a description in the Description field.
  7. In the Custom fields section, enter the following information.
    1. In the Name field, type writelevel.
    2. From the Info Type drop-down list, select Text.
    3. From the Visibility drop-down list, select Visible to domain.
    4. From the No. of values drop-down list, select Single Value.
  8. Optional: If you have connected Trace appliances, configure a second custom field with the following information.
    1. In the Name field, type packetslevel.
    2. From the Info Type drop-down list, select Text.
    3. From the Visibility drop-down list, select Visible to domain.
    4. From the No. of values drop-down list, select Single Value.
  9. Click Add.

Add identity provider information from Google to the ExtraHop appliance

  1. In the Google Admin console, click the Main menu icon and select Apps > SAML apps.
  2. Click the Enable SSO for a SAML application icon .
  3. Click SETUP MY OWN CUSTOM APP.
  4. On the Google IdP Information screen, click the Download button to download the certificate (GoogleIDPCertificate.pem).
  5. Return to the Admin UI on the ExtraHop appliance.
  6. Click Add Identity Provider.
  7. Type a unique name in the Provider Name field. This name appears on the ExtraHop appliance login page.
  8. From the Google IdP Information screen, copy the SSO URL and paste it into the SSO URL field on the ExtraHop appliance.
  9. From the Google IdP Information screen, copy the Entity ID and paste into the Entity ID field on the ExtraHop appliance.
  10. Open the GoogleIDPCertificate in a text editor, copy the contents and paste into the Public Certificate field on the ExtraHop appliance.
  11. Choose how you would like to provision users from one of the following options.
    • Select Auto-provision users to create a new remote SAML user account on the ExtraHop appliance when the user first logs into the appliance.
    • Clear the Auto-provision users checkbox and manually configure new remote users through the ExtraHop Admin UI or REST API. Access and privilege levels are determined by the user configuration in Google.
  12. The Enable this identity provider option is selected by default and allows users to log into the appliance. To prevent users from logging in, clear the checkbox.
  13. Click Save.
  14. Save the Running Config.

Add ExtraHop service provider information to Google

  1. Return to the Google Admin console and click Next on the Google Idp Information page to continue to step 3 of 5.
  2. Type a unique name in the Application Name field to identify the ExtraHop appliance. Each ExtraHop appliance that you create a SAML application for needs a unique name.
  3. Optional: Type a description for this application or upload a custom logo.
  4. Click Next.
  5. Copy the Assertion Consumer Service (ACS) URL from the ExtraHop appliance and paste into the ACS URL field in Google Admin.
    Note:You might need to manually edit the ACS URL if the URL contains an unreachable hostname, such as the default appliance hostname "extrahop". We recommend that you specify the fully qualified domain name for the ExtraHop appliance in the URL.
  6. Copy the SP Entity ID from the ExtraHop appliance and paste into the Entity ID field in Google Admin.
  7. Select the Signed Response checkbox.
  8. In the Name ID section, leave the default Basic Information and Primary Email settings unchanged.
  9. From the Name ID Format drop-down list, select PERSISTENT.
  10. Click Next.
  11. On the Attribute Mapping screen, click ADD NEW MAPPING.
  12. Add the following attributes exactly as shown. The first four attributes are required. The packetslevel attribute is optional and is only required if you have connected Trace appliances. If you have a Trace appliance and you do not configure the packetslevel attribute, users will be unable to view or download packet captures in the ExtraHop Web UI.
    Application Attribute Category User Field
    urn:oid:0.9.2342.19200300.100.1.3 Basic Information Primary Email
    urn:oid:2.5.4.4 Basic Information Last Name
    urn:oid:2.5.4.42 Basic Information First Name
    urn:extrahop:saml:2.0:writelevel ExtraHop writelevel
    urn:extrahop:saml:2.0:packetslevel ExtraHop packetslevel
  13. Click Finish and then click OK.
  14. Click Edit Service.
  15. Select On for everyone, and then click Save.

Assign user privileges

  1. Click Users to return to the table of all users in your organizational units.
  2. Click the name of the user you want to allow to log into the ExtraHop appliance.
  3. In the User information section, click User details.
  4. In the ExtraHop section, click writelevel and type one of the following privilege levels.
    • unlimited
    • full_write
    • limited_write
    • personal_write
    • full_readonly
    • restricted_readonly
    For information about user privileges, see Users and user groups.
  5. Optional: If you added the packetslevel attribute above, click packetslevel and type one of the following privileges.
    • full
    • full_with_write
  6. Click Save.

Log into the ExtraHop appliance

  1. Open a new browser window and enter the URL of the ExtraHop Web UI.
  2. Click Log in with <provider name>.
  3. Sign into your provider with your email address and password. You are automatically directed to the ExtraHop Dashboards page.
Published 2019-01-16 16:09