Configure SSO

This procedure describes how to configure SSO for Cybereason On-Prem version 23.1.

Prerequisites:

1. Complete Cybereason Deployment and Sanity Checks.

2. Replace Configuration Management Server Certificate. See Replace configuration management server certificate.

3. Replace Webapp UI Certificate. See Install certificates.

4. Retrieve Domain Controller FQDN and IP.

5. Allow required communication from Configuration Management Server to DC (Port 636).

6. Retrieve Bind and Users DN (Distinguished Name) + Password.

   • See How to view OU DN.

   • Example: OU=Users,OU=Company_1OU,DC=Company_1,DC=internal

7. Configure DNS Server with Webapp and Configuration Management Server FQDN.

8. Set the DNS Server of the Configuration Management Server to the LDAP Server (Domain Controller) in the Deployment CSV.

Enable and Configure SSO

1. Log in to the Configuration Management Server via https://cfg-mgmt-ip.

2. Click Maintenance.

3. Click SSO Configuration.

4. Enter the Domain Controller Information.

5. Toggle on Enable SSO.

6. Click Confirm. A job will run to configure Keycloak and enable Webapp Server SSO Login.

   • Follow the /var/log/ansible.log in the Configuration Management Server to see the progress.

   • Verify there are no errors in ansible.log or Configuration Management UI.

7. Log in to the Keycloak UI via https://cfg-mgmt-dns:10443.

   • Click Administration Console.

   • Login Credentials: admin/cybereason

8. Click User Federation.

9. Click Add Ldap providers.

10. Enter the following information:

    • UI display name

    • Connection URL: ldaps://<DC-URL>:636

    • Click Test Connection to verify connectivity to the DC.

    • Check for successful output on the top right:

    

    • Bind DN (The details that were retrieved from step 6 in the Prerequisites above)

    • Bind credentials.

    • Click Test authentication.

    • Check for successful output on the top right.

    • Set edit mode to READ_ONLY

    • Users DN.

    • Click Save.

11. Configure Realm Event Settings:

    • Click Realm Settings on the bottom left corner.

    • Click the Events tab.

    • Click the User events settings tab below.

    • Toggle on Save events

    • Set Expiration to 90 Days.

Sanity checks

1. In the Keycloak UI, select Users (on the left hand side of the screen).

2. Search for a user in your Active Directory.

   • If the user is visible, AD is connected successfully to the relevant group.

3. Login to the Webapp UI via DNS: https://webapp-dns.

4. Login with the admin user.

5. Click the top-left button > Users.

6. Click Create users and enter the following information:

   • Email (desired Active Directory user email).

   • Password (random password for local login).

   • Confirm Password.

   • Uncheck Change password on next login.

   • Choose Role/Roles.

   • Select Authentication method: SSO.

   • Click Add user.

   

7. Click the top right button > Logout.

8. In the Webapp Login Page, click Sign In with SSO at the bottom of the screen.

   • You will be redirected to the Keycloak Sign-In Page.

   • Insert your Active Directory email from step 6 and your Domain Password.

   

9. You should now be logged in to the Webapp UI via SSO.