Configuring the Identity Provider for SAML
In this example, OKTA is used as the SAML IdP.
Creating a Service Provider Application in OKTA
To create a Service Provider application in OKTA:
Navigate to https://www.okta.com/login/ and enter your organization's address. OKTA sends you your own OKTA Login screen, where you can access your account directly.
Sign in to your OKTA administration account using your Username and Password credentials. The Launch Apps screen is displayed.
Click <Admin> and then click Dashboard. The Dashboard screen is displayed.
Click
Add Applications. The Add Applications screen is displayed.
Click <Create New App>. The Create a New Application Integration screen is displayed.
Select SAML 2.0 and click <Create>. The Create SAML Integration - General Settings screen is displayed.
Add your chosen Service Provider application name into the App Name field (e.g., CxSAST via SAML).
Click <Next>. The Create SAML Integration - Configure SAML screen is displayed.
Notice
For version 9.0, the Single Sign on URL must read https://checkmarx.corp.net/cxrestapi/auth/identity/samlAcs.
Single sign on URL is composed from the Checkmarx URL and “/cxrestapi/auth/samlAcs”, e.g., https://checkmarx.corp.net/cxrestapi/auth/samlAcs. This is the location where the SAML assertion is sent with a HTTP POST.
Audience URI (SP Entity ID) field should be populated with a unique SP identifier (a single IdP can support multiple services). By convention, Audience URI is the SP server URI, e.g., https://checkmarx.corp.net.
Notice
The Entity ID must be identical in both the Service Provider and the Identity Provider.
Name ID parameter is required by CxSAST. This is the SAML name identifier of the user.
Click <Next>, select I’m a Software Vendor. I’d like to integrate my App with OKTA option and then click <Finish>.
Click Applications. The newly created application is displayed in the Applications screen.
To assign users to the Service Provider Application in OKTA:
On the Applications screen, click your application and then click the People tab. The People screen is displayed.
Click <Assign to People>. The Assign <Application> to People screen is displayed.
Assign a user to the application by clicking <Assign>.
Click <Save and Go Back> to assign the next user.
Repeat these two steps for each user.
Click <Done> to save the changes.
Confirm that each user has been assigned to the application.
Even though most attributes are supported, First Name, Last Name and Email are mandatory attributes. These attributes are already defined (but not mapped) in OKTA. All remaining attributes are optional.
To create attributes in OKTA:
Click Directory and select
Profile Editor. The Profile Editor screen is displayed.
Click <
Profile>for the new Checkmarx profile. The Profile screen is displayed.
Click <
Add Attribute>. The Add Attribute screen is displayed.
On the Add Attribute screen, define and add the following attributes:
Display Name
Variable
Data Type
Required?
Job
Job
String
No
Language
Language
String
No
Organization Tree
Organization_Tree
String
Yes
required for IdP Authorization only
Is_Auditor
Is_Auditor
String
Yes
required for IdP Authorization only
Role
Role
String
Yes
required for IdP Authorization only
Role Attribute
Role_Attribute
String
No
required for IdP Authorization only
Click <Save and Add Another> or <Add Attribute> accordingly.
To map user attributes to the service provider:
Click Applications. The Application screen is displayed.
Select the Application that you created (e.g., CxSAST via SAML) and click the General tab. The General screen is displayed.
In the SAML Settings section, click <Edit>. The SAML Integration - General Settings screen is displayed.
Click <Next>. The SAML Integration - SAML Settings screen is displayed.
In the Attribute Statements section, define and add the following attributes:
Name
Name Forma
Value
Authorization Method
First_Name
basic
user.firstName
Manual and IdP Authorization
Last_Name
basic
user.lastName
Manual and IdP Authorization
Email
basic
user.email
Manual and IdP Authorization
Job
basic
user.job
Manual and IdP Authorization
Phone
basic
user.primaryPhone
Manual and IdP Authorization
Cell Phone
basic
user.mobilePhone
Manual and IdP Authorization
Language
basic
user.language
Manual and IdP Authorization
Organization_Tree
basic
appuser.organizationTree
IdP Authorization only
Is_Auditor
basic
appuser.isAuditor
IdP Authorization only
Role
basic
appuser.Role
IdP Authorization only
Role_Attribute
basic
appuser.roleAttribute
IdP Authorization only
Notice
For IdP Authorization, First_Name, Last_Name, Email, Organization_Tree, Is_Auditor and Role attributes are mandatory. For Manual Authorization, First_Name, Last_Name and Email are required. The remaining attributes are optional
Notice
For ADFS only:
Below claim rule should be defined explicitly:
LDAP Attribute: SAM-Account-Name
Outgoing Claim Type: Name ID
To add additional attribute fields, click <Add Another>.
Once complete, click <Next>, select I’m a Software Vendor. I’d like to integrate my App with OKTA and then click <Finish>.
To add attributes to a specific user:
Click Directory and select People. The People screen is displayed.
Click Person & User Name. The selected user’s Profile screen is displayed.
Click the Profile tab. The Profile screen is displayed.
Click <Edit>.
Once the Attribute fields become available for editing, enter a description for each attribute as outlinede in the table below.
When done, click <Save> to save the changes.
Attributes | Description |
|---|---|
First name | User’s first name (e.g., David) |
Last name | User’s family name (e.g., Press) |
Primary email | Primary email (e.g., david.press@check.com) |
Job | Job title (e.g., Software Engineer) |
Primary phone | Primary contact telephone number (e.g., 77523632562) |
Mobile phone | Contact mobile number (e.g., 052563256214) |
Language | User’s preferred language (e.g., en-US (English – US) / zh-TW (Chinese - Traditional, Taiwan) / jp-JP (Japanese - Japan) / ko-KR (Korean - Korea) / zh-CHS (Chinese - Simplified)) |
Organization_Tree | User's organization according to the tree branch: \CxServer\SP\Company\Team NoticeCan alsobe multiple attributes separated by ',' delimiter: e.g., \ CxServer\SP\Company1\User1,CxServer\SP\Company2\Team2 |
Is_Auditor | User's auditor rights (true/false) |
Role | User's organizational role: Organization_Tree > Role value Allowed \CxServer > ServerManager \CxServer\SP > SPManager \CxServer\SP\Company > CompanyManager \CxServer\SP\Company\Team or under > Scanner or Reviewer |
Role_Attribute | User's role options:
NoticeCan also be multiple attributes separated by ',' delimiter: e.g., AllowProjectAndScanDelete,AllowNotExploitable |
To retrieve information on the identity provider setup:
Click Applications. The Applications screen is displayed.
Select your Application, for example CxSAST via SAML.
Once the Application screen is displayed, click Sign On. The Sign On screen is displayed.
Click <View Setup Instructions>. The Setup Instructions screen is displayed.
Click <Download Certificate>. The SAML certificate file (.cert) is downloaded to the default download directory. This file is used during the Configuration of SAML in CxSAST.
The following values are also used during the Configuration of SAML in CxSAST:
Identity Provider Single Sign-On URL, for example https://dev-396869.oktapreview.com/app/checkmarxdev238735_cxsast_1/exk7jivioeSb6n2EI0h7/sso/saml, is relevant to the Login URL field in the SAML Configuration in CxSAST.
Identity Provider Issuer , for example http://www.okta.com/exk7jivioeSb6n2EI0h7, is relevant to the Issuer (Identity Provider) field in the SAML Configuration in CxSAST.