You will learn

How to setup SAML in ThreadFix.

Login Settings Tab

Default LDAP\SAML Role

When LDAP or SAML users log in, ThreadFix can assign them a default role. If a role is not selected here, the user will be unable to access any data in ThreadFix. To configure per-team and per-application permissions for an LDAP or SAML user prior to their first login, create a ThreadFix user corresponding with their LDAP or SAML username and add them to the desired group(s) and/or role(s). See the image highlighted below:

Warning: When a users SAML status has been revoked, any associated API keys will remain active until they are manually deleted by a ThreadFix administrator.

LDAP Settings

For LDAP authentication click the Create New LDAP Server button to create a new LDAP Server.
Fill the Name, URL, Search Base, User Display Name and Password fields. Click the Create LDAP Server button to connect to an LDAP (Microsoft Active Directory) server.
Use Active Directory Overrides to integrate with non-AD LDAP services. Specify the following filters: Login, Users, Groups, and User's Groups, to return the corresponding value(s). Multiple LDAP integrations can be created as needed.

Examples of Active Directory Overrides
Login Filter: Override filter to get the account of the person logging in. (uid={0})
Users Filter: Override filter to get the list of users in the directory. (objectClass=User)
Groups Filter: Override filter to get the list of groups in the directory. (&(objectClass=group)(cn={0}))
User's Group Filter: Override filter to get the list of groups for a user. (&(memberUid={0})(objectClass=posixGroup))

LDAPS Support

ThreadFix supports using LDAPS to connect to an LDAP server. Use ‘ldaps’ to begin the URL, and port ‘636’ (or whichever port the server is using for LDAPS connections).

Example URL: ldaps://my.ldap.server:636/

Note: The LDAP server’s certificate may need to be imported into the trust store. For more information on this see: Adding Custom Root Certificates to AppSec Container.

SAML Settings

Stand Alone Authentication Type Configuration

To establish SAML Settings with Stand Alone Authentication Type Configuration in ThreadFix:

Click the ThreadFix Metadata button to generate an XML file usable to configure SAML to work with ThreadFix.
Enter the IDP Metadata URL from the SAML IDP. See the image highlighted below:
Click the Download Metadata button to have ThreadFix connect to the IDP and provide a menu (after typing at least one character) of User Display Name options to select how the name will appear in the page's header after the user logs into ThreadFix via the SAML IDP.
Enter an Entity ID and Service ID, both are required:
- The Entity ID is the ID of the user's service provider, ThreadFix. The value of this field can be any unique identifier. One example being, <https://<threadfix-host>/saml/medatada,> replacing <threadfix-host> with the name of the ThreadFix host machine. If the user's SAML identity provider assigns this value to service providers, it should be used instead.
- The Service ID is the endpoint where the Identity Provider will send the SAML Assertion. This should be <https://<threadfix-host>/saml/sso,> replacing <threadfix-host> with the name of the ThreadFix host machine
The ReGenerate TLS Certs button is available if a user needs to change the certificates utilized by ThreadFix when making SAML requests to the configuration identity provider.

LDAP-Linked SAML Authentication Type Configuration

Threadfix provides users the ability to log in using SAML while managing their permissions with a linked LDAP server. To configure SAML settings with LDAP-linked Authentication Type Configuration:

Configure the IdP used for SAML SSO to delegate authentication to an LDAP server of choice. Consult the IdP's documentation to verify this is currently supported and for configuration instructions. Note: A user's LDAP username must be mapped to the NameID or an additional attribute in the SAML response.
Enter the IDP Metadata URL from the SAML IDP. See the image highlighted below:
Enter an Entity ID and Service ID, both are required:
- The Entity ID is the ID of the user's service provider, ThreadFix. The value of this field can be any unique identifier. One example being, <https://<threadfix-host>/saml/medatada,> replacing <threadfix-host> with the name of the ThreadFix host machine. If the user's SAML identity provider assigns this value to service providers, it should be used instead.
- The Service ID is the endpoint where the Identity Provider will send the SAML Assertion. This should be <https://<threadfix-host>/saml/sso,> replacing <threadfix-host> with the name of the ThreadFix host machine
The ReGenerate TLS Certs button is available if a user needs to change the certificates utilized by ThreadFix when making SAML requests to the configured identity provider.
Once the IdP is configured for LDAP delegated authentication, navigate to the System Settings page in ThreadFix. If the LDAP server used for authentication isn't already configured, create a new LDAP server for it under LDAP Settings.
Open the SAML Settings and select "LDAP" in the Authentication Type dropdown menu.
Complete the LDAP linked SSO setup by filling in the remaining required fields and saving these changes.

Import LDAP Users

The Import LDAP Users button allows importing of all LDAP users who are members of the Search Base defined in the LDAP Settings and optionally import all groups they belong to.

To import all LDAP users, click the Import LDAP Users button. After clicking the button, the Import LDAP Users modal will appear.
Choose the domain, if there is more than one, and whether or not to import all of the LDAP groups the users belong to. Then click the Import LDAP Users button.
ThreadFix will import the LDAP users, their groups if selected, and the page will refresh to show the newly-added users.

Prune LDAP Users

The Prune LDAP Users button allows deleting ThreadFix users who meet either of the following conditions:

Their account has been deleted from the LDAP server.
Their account is no longer within the currently configured Search Base, whether they were moved to another Organization Unit on the LDAP server, or the Search Base was changed.

To delete users that meet either condition, click the Prune LDAP Users button.
Select the domain from the drop-down list.
Click the OK button when prompted to confirm or Cancel if if not ready.
A green banner will indicate the number of deleted users if the OK button was clicked.
*Note, in the event there are no LDAP users to delete, a banner informing this result will display. As seen below:

LDAP Group Synchronization

When LDAP users log in to ThreadFix, their group memberships are synchronized on the LDAP server with their corresponding LDAP groups in ThreadFix. For example:

If an LDAP user logs in to ThreadFix for the first time and is a member of an LDAP group that exists in ThreadFix:

The user will be added to the ThreadFix LDAP group
The user will gain the ThreadFix roles and permissions that are attached to the group

After each subsequent login, the user's group memberships will continue to be synchronized:

If the LDAP user has been added or removed from any LDAP group:

The user will be added/removed from the corresponding ThreadFix LDAP group
The user will gain/lose the roles and permissions that are attached to the group

Additional Resource

1 You will learn
- 1.1 Login Settings Tab
  - 1.1.1 Default LDAP\SAML Role
  - 1.1.2 LDAP Settings
  - 1.1.3 LDAPS Support
  - 1.1.4 SAML Settings
    - 1.1.4.1 Stand Alone Authentication Type Configuration
    - 1.1.4.2 LDAP-Linked SAML Authentication Type Configuration
  - 1.1.5 Import LDAP Users
  - 1.1.6 Prune LDAP Users
  - 1.1.7 LDAP Group Synchronization
    - 1.1.7.1 Additional Resource
2 Table of Contents

ThreadFix 3.X Documentation

SAML & LDAP Basic Setup (ThreadFix 3.X)