View Table of Contents
Hide Table of Contents
Product Requirements
- Reveal(x) Enterprise and ExtraHop Performance systems
Thank you! We will contact you soon to ask how we can improve our documentation. We appreciate your feedback.
Was this topic helpful?
How can we improve?
*This field is required. Please let us know how we can provide you with better help.
Need more help?
Ask the Community
Configure SAML single sign-on with Google
You can configure your ExtraHop system to enable users to log in to the system through the Google identity management service.
Before you begin
- You should be familiar with administering Google Admin.
- You should be familiar with administering ExtraHop systems.
These procedures require you to copy and paste information between the ExtraHop system and Google Admin console, so it is helpful to have each system open side-by-side.
Enable SAML on the ExtraHop system
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select SAML.
- Click Continue.
- Click View SP Metadata.
- Copy the ACS URL and Entity ID to a text file. You will paste this information into the Google configuration in a later procedure.
Add user custom attributes
- Log in to the Google Admin console.
- Click Users.
- Click the Manage custom attributes icon .
- Click Add Custom Attribute.
- In the Category field, type ExtraHop.
- (Optional): Type a description in the Description field.
-
In the Custom fields section, enter the following
information.
- In the Name field, type writelevel.
- From the Info Type drop-down list, select Text.
- From the Visibility drop-down list, select Visible to domain.
- From the No. of values drop-down list, select Single Value.
- (Optional):
If you have connected Trace appliances, enable packet access by configuring a
custom field with the following information.
- In the Name field, type packetslevel.
- From the Info Type drop-down list, select Text.
- From the Visibility drop-down list, select Visible to domain.
- From the No. of values drop-down list, select Single Value.
- (Optional):
Enable detections access, by configuring a custom field with the following
information.
The detectionsaccesslevel attribute is only required when the global privilege policy is set to Only specified users can view detections.
- In the Name field, type detectionsaccesslevel.
- From the Info Type drop-down list, select Text.
- From the Visibility drop-down list, select Visible to domain.
- From the No. of values drop-down list, select Single Value.
- Click Add.
Add identity provider information from Google to the ExtraHop system
- In the Google Admin console, click the Main menu icon and select Apps > SAML apps.
- Click the Enable SSO for a SAML application icon .
- Click SETUP MY OWN CUSTOM APP.
- On the Google IdP Information screen, click the Download button to download the certificate (GoogleIDPCertificate.pem).
- Return to the Administration settings on the ExtraHop system.
- Click Add Identity Provider.
- Type a unique name in the Provider Name field. This name appears on the ExtraHop system login page.
- From the Google IdP Information screen, copy the SSO URL and paste it into the SSO URL field on the ExtraHop appliance.
- From the Google IdP Information screen, copy the Entity ID and paste into the Entity ID field on the ExtraHop system.
- Open the GoogleIDPCertificate in a text editor, copy the contents and paste into the Public Certificate field on the ExtraHop system.
-
Choose how you would like to provision users from one of the following
options.
- Select Auto-provision users to create a new remote SAML user account on the ExtraHop system when the user first logs in.
- Clear the Auto-provision users checkbox and manually configure new remote users through the ExtraHop Administration settings or REST API. Access and privilege levels are determined by the user configuration in Google.
- The Enable this identity provider option is selected by default and allows users to log in to the ExtraHop system. To prevent users from logging in, clear the checkbox.
-
Configure user privilege attributes. You must configure the following set of
user attributes before users can log in to the ExtraHop system through an
identity provider. Values are user-definable; however, they must match the
attribute names that are included in the SAML response from your identity
provider. Values are not case sensitive and can include spaces. For more
information about privilege levels, see Users
and user groups..
Important: You must specify the attribute name and configure at least one attribute value other than No access to enable users to log in. In the example below, the Attribute Name field is the application attribute and the Attribute Value is the user field name configured when creating the ExtraHop application on the identity provider.Field Name Example Attribute Value Attribute Name urn:extrahop:saml:2.0:writelevel No access none Unlimited privileges unlimited Full write privileges full_write Limited write privileges limited_write Personal write privileges personal_write Full read-only privileges full_readonly Restricted read-only privileges restricted_readonly - (Optional):
Configure packets and session key access. Configuring packets and session key
attributes is optional and only required when you have a connected Trace
appliance. Users with unlimited or cloud setup (Reveal(x) 360) privileges are
automatically granted access to packets and session keys.
Field Name Example Attribute Value Attribute Name urn:extrahop:saml:2.0:packetslevel No access none Packets and session keys full_with_keys Packets only full - (Optional):
Configure detections access. Configuring detections attributes is optional and
only required when the global
privilege policy is set to Only specified users can view
detections. Users with unlimited or cloud setup (Reveal(x) 360)
privileges are automatically granted access to detections.
Field Example Attribute Value Attribute Name urn:extrahop:saml:2.0:detectionsaccesslevel No Access none Full access full - Click Save.
- Save the Running Config.
Add ExtraHop service provider information to Google
- Return to the Google Admin console and click Next on the Google Idp Information page to continue to step 3 of 5.
- Type a unique name in the Application Name field to identify the ExtraHop system. Each ExtraHop system that you create a SAML application for needs a unique name.
- (Optional): Type a description for this application or upload a custom logo.
- Click Next.
-
Copy the Assertion Consumer Service (ACS) URL from the
ExtraHop system and paste into the ACS URL field in
Google Admin.
Note: You might need to manually edit the ACS URL if the URL contains an unreachable hostname, such as the default system hostname extrahop. We recommend that you specify the fully qualified domain name for the ExtraHop system in the URL. - Copy the SP Entity ID from the ExtraHop system and paste into the Entity ID field in Google Admin.
- Select the Signed Response checkbox.
- In the Name ID section, leave the default Basic Information and Primary Email settings unchanged.
- From the Name ID Format drop-down list, select PERSISTENT.
- Click Next.
- On the Attribute Mapping screen, click ADD NEW MAPPING.
-
Add the following attributes exactly as shown. The first four attributes are
required. The packetslevel attribute is optional and is only
required if you have a connected Trace appliance. If you have a Trace appliance
and you do not configure the packetslevel attribute, users will
be unable to view or download packet captures in the ExtraHop system.
Application Attribute Category User Field urn:oid:0.9.2342.19200300.100.1.3 Basic Information Primary Email urn:oid:2.5.4.4 Basic Information Last Name urn:oid:2.5.4.42 Basic Information First Name urn:extrahop:saml:2.0:writelevel ExtraHop writelevel urn:extrahop:saml:2.0:packetslevel ExtraHop packetslevel urn:extrahop:saml:2.0:detectionsaccesslevel ExtraHop detectionslevel - Click Finish and then click OK.
- Click Edit Service.
- Select On for everyone, and then click Save.
Assign user privileges
- Click Users to return to the table of all users in your organizational units.
- Click the name of the user you want to allow to log in to the ExtraHop system.
- In the User information section, click User details.
-
In the ExtraHop section, click writelevel and type one
of the following privilege levels.
- unlimited
- full_write
- limited_write
- personal_write
- full_readonly
- restricted_readonly
- none
For information about user privileges, see Users and user groups. - (Optional):
If you added the packetslevel attribute above, click
packetslevel and type one of the following
privileges.
- full
- full_with_write
- none
- (Optional):
If you added the detectionslevel attribute above, click
detectionslevel and type one of the following
privileges.
- full
- none
- Click Save.
Thank you for your feedback. Can we contact you to ask follow up questions?