¶ Exium SAML2 SSO Integration
Exium’s Intelligent Cybersecurity Mesh provides secure access to distributed workforce and IoT devices, protecting businesses from malware, ransomware, phishing, denial of service, and botnet infections in one easy to use cloud service.
Exium supports different SAML integrations for SSO Authentications of users to login and use Exium Service.
- Azure AD
- Okta
- JumpCloud
- PingIdentity
- Duo
If any organization has any other IDP which is not listed above can use Exium Generic SAML Integration as explained in this user guide.
SAML2 Exium integration handles users seamless access to Exium. Administrators can easily attach Exium security policy groups to SAML2 based IDP users. Unique features of this integration are
- Simple steps to integrate SAML2 API with Exium
- Push New Users from SAML2 IDP to Exium
- Push User Deactivation from SAML2 IDP to Exium
- Reactivate Users from SAML2 IDP to Exium
- Single sign-on from SAML2 IDP to sign-on to Exium
This note explains how to configure SAML2 Exium application settings and Exium Workspace settings so that SAML2 based IDP Users can be synced with Exium Workspace in real time and SSO from SAML2 based IDP can be used to sign-on to Exium Service.
Following steps elaborate SAML2 API Integration with Exium
¶ 1. Select Generic SAML as Sign-in Option on Exium
¶ 1.1 Copy Workspace Name
To copy workspace name, follow below steps.
- Navigate to the MSP admin console → Companies
- Click on Admin Console → Settings (alternatively Settings & Subscriptions on left bottom and Settings) as shown below.
Click on Profile tab in Profile page and copy Workspace name or ID as shown below. This is required for few IDPs to configure some unique key as SSO IDP Entity ID and IDP URL in next steps.
¶ 1.2 Change Sign-In Option
As a next step, configure Custom SAML as Sign-in Type. Follow below steps.
- Navigate to the MSP admin console → Companies
- Click on Integrations → SCIM/SAML SSO
- Select Custom SAML as Sign-In Type
- Copy ACS URL (Reply URL) and Entity ID (Identifier) one after other to paste in SAML based IDP as explained in next step.
¶ 3. Create Exium app on SAML based IDP
In your SAML based IDP account, you can create Exium application by creating custom SAML app with required configuration settings. Following is the reference screenshots from JumpCloud. Actual app creation may vary based on SAML2 based IDP.
¶ 3.1 Add SSO Service Provider (SP) Details
Paste SP Entity ID (Entity ID on Exium Portal) and ACS URL (ACS URL on Exium Portal from Exium Portal(copied on step 1) in Custom Exium App created in console of SAML2 based IDP console. Also optionally you may need to enter Workspace name or ID (copied on step1) as IdP Entity ID.
Following is the reference screenshots from JumpCloud for entering SP Details. Actual entering of details may vary based on SAML2 based IDP.
¶ 3.2 Add Attribute Mapping (Optional, depends on IDP)
If SAML2 based IDP provides option to enter attributes section, click on add attribute, enter firstname under Service Provider Attribute Name and select First Name from drop down under Attribute Names.
Click on add attribute, enter lastname under Service Provider Attribute Name and select Last Name from drop down under Attribute Names.
After all details are entered as shown below, click on save or activate.
Following is the reference screenshots from JumpCloud for entering attribute mapping. Actual attribute mapping may vary based on SAML2 based IDP.
¶ 3.3 Download Identity Provider (IdP) Metadata
Some IDPs provide option to download to IdP Metadata XML file and some IDPs provide IdP Metadata as URL. Exium supports IDP Metadata as Content or as URL. Based on your IDP, you can copy either IdP Metadata URL or download XML Content.
Following is the reference screenshots from JumpCloud for downloading Metadata file. Actual IDP Metadata URL copy or download of Metadata file may vary based on SAML2 based IDP.
¶ 4. Update Metadata XML on Exium Portal
As a next step, Sign-in option on Exium Portal has to be saved by filling-in IDP Metadata XML Content/URL. As explained in step 2.3, If the IDP provides Metadata URL, you can paste the RL or if the IDP Provides download of Metadata file, you can copy the contents and paste. Finally click Save.
¶ 5. Assigning User Groups/Users on IDP
As a next step, you can assign user groups to Exium app on SAML2 based IDP. This can be done whenever you wish to add more users or groups to Exium app.
Following is the reference screenshots from JumpCloud for Adding User groups. Actual assignment may vary based on SAML2 based IDP.
¶ 6. Verify SSO on Exium Service URL
If you are part of admin group, you can access admin console through SSO. you can press your workspace name on service portal by entering the workspace name. Browser opens one more tab for SAML2 authentication. (Note: Some browsers block popups. You need to allow the popup to allow one more tab to be opened to take SAML2 authentication).
After successful authentication, it’ll show the message that “User is successfully Verified.” You can close the tab, then you’ll be in admin console in the original tab where you have entered workspace name. If the SSO verified user is not part of admin user, it gives an error that you don’t have access.
If you have any issue during integration, contact us at support@exium.net or raise a ticket on https://exium.net/help-center/
If you would like to see how Exium can help defend your organisation, contact us at hello@exium.net