As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
SAML with Azure
You will learn
How to configure SSO with an Azure AD connected SAML application.
Prerequisites
Audience: IT Professional
Difficulty: Basic
Time needed: Approximately 15 Minutes
Tools required: None
It's necessary to first create an enterprise app in Azure within the Azure AD domain intended for authenticating users. Create and name an application, such as “threadfix-sso”, and choose “Integrate any other application you don't find in the gallery”.
Edit the settings of the enterprise application in Azure. Set up the users that will be allowed to sign in via this application, and any other relevant settings necessary for the deployment. At minimum, in the “Users and groups” tab, add some users to the app to allow sign on via this SAML app.
After setting up Users and Groups, and any other initial setup necessary, head to the “Single sign-on” tab in the menu on the left. Set the Identifier and Reply URL fields.
For the Identifier, set the value below, replacing ‘your-threadfix-fqdn’ with the FQDN of the desired ThreadFix instance. :
https://your-threadfix-fqdn/saml/metadata
For Reply URL, enter the value below, again substituting ‘your-threadfix-fqdn’ for the actual FQDN.
https://your-threadfix-fqdn/saml/sso
The end result should look like below.
Now scroll down a little to see in the step 3 box,“SAML Signing Certificate”, a field named “App Federation Metadata URL”. Copy this field, required to provide it to ThreadFix for the integration to properly function. Once the URL has been copied, log into the ThreadFix instance.
In the Navigation menu on the left, expand Global Settings, then choose System Settings. Next expand SAML Settings. Choose “Stand alone” Authentication Type, then paste in the metadata URL copied from Azure into the “IDP Metadata URL” field. Once the URL is entered, click the Download Metadata button.
By clicking this, ThreadFix will contact the Azure app at the URL provided, and retrieve necessary information from the Azure app to conduct SAML operations. Now enter the remaining information to complete the setup.
For “User Display Name”, choose “NameID [SAML Persistent Id]”. After typing a few letters it should autofill. If it does not autofill, then there was likely an issue downloading the metadata. Try downloading it again, and if the issue persists, check the URL for any errors.
For Entity ID and Service ID, match these fields to the Identifier and Reply URL fields in Azure, respectively. The Entity ID will be as below, again replacing 'your-threadfix-fqdn' with the FQDN of the ThreadFix instance.
https://your-threadfix-fqdn/saml/metadata
And Service ID will be as below, similarly replacing 'your-threadfix-fqdn' with the FQDN of the ThreadFix instance.
Following the previous example, using threadfix.mycompany.com as the fqdn, the end result should look like this:
Scroll to the bottom of the page and click the Save Changes button. The integration should now be working. It can be tested by logging out of ThreadFix, and choosing the SAML option on the login page. It should prompt for Azure AD credentials, or if the user is still logged into Azure, it will automatically log into ThreadFix with no further input. The default SAML role settings will determine what sort of access the user receives after logging in. For information on setting up a default role, see the User Administration documentation.
Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.