Okta

Configure SAML 2.0 for Rapid7 InsightAppSec

This guide provides instructions on configuring SAML 2.0 Single Sign-On (SSO) for the Rapid7 InsightAppSec app integration.

Contents

Supported features

Rapid7 InsightAppSec supports the following features:

Prerequisites

Integrate the app in Okta

  1. In the Admin Console, go to Applications > Applications.
  2. Click Browse App Catalog.
  3. Search for and select the Rapid7 InsightAppSec app.
  4. Click Add Integration.
  5. On the General Settings tab, enter an app label, SSO URL, audience URI, and domain. You can enter placeholder values and modify them later.
  6. Click Next.
  7. On the Sign On tab, select SAML 2.0.
  8. On the Sign On tab, go to the SAML 2.0 section and click More details.
  9. Click Download next to Signing Certificate.

Upload the Okta signing certificate in Rapid7 InsightAppSec

  1. Sign in to the Rapid7 Command Platform.
  2. Click Administration.
  3. Select Settings.
  4. In Authentication Settings, go to the SSO Settings tab.
  5. Select Okta from the Select your identity provider (IdP) menu.
  6. Drag and drop the Okta signing certificate that you downloaded earlier. Or, click Browse and select the file from your local system.

Configure SAML settings in Okta

  1. In the Rapid7 Command Platform, go to the Copy the following data into your external IdP section and copy the SSO URL.
  2. In the Okta Admin Console, open the app integration and go to the General tab.
  3. Paste the SSO URL in the Single sign-on URL field.
  4. In the Rapid7 Command Platform, copy the Audience URI.
  5. In the Okta Admin Console, paste the audience URI in the Audience URI field.
  6. In the Rapid7 Command Platform, copy the Default Relay State.
  7. In the Okta Admin Console, click Edit in the Sign on methods section on the Sign On tab.
  8. Paste the copied value in the Default Relay State field.
  9. In the Rapid7 Command Platform, go to the Organization Settings tab.
  10. Configure the Domain variable according to your data storage region code. For example, if your data storage region is the United States, then your code is us.api.insight.rapid7.com If your data storage region is United States - 2, then your code is us2.api.insight.rapid7.com.
  11. In the Okta Admin Console, go to the General tab.
  12. Paste the copied value in the Domain field.

Complete the Rapid7 Command Platform configuration

  1. In the Rapid7 Command Platform, go to the SAML 2.0 Configuration section and click the More settings menu.
  2. In the Okta Admin Console, copy the Sign on URL and Identity Provider Issuer values.
  3. In the Rapid7 Command Platform, paste the values in the corresponding fields on the SSO Settings tab.

Set up a default access profile

In the Rapid7 Command Platform, a default access profile allows you to define the products and roles that are automatically assigned to users who are provisioned in Okta. See Set up the default access profile for more information.

Configure group synchronization

Group synchronization lets you manage user group assignments directly from your IdP. By including an attribute with the Rapid7 Command Platform user group names in your SAML response, users are automatically assigned to those groups and instantly inherit their associated products, roles, and resource permissions.

Note: When group synchronization is enabled, IdP users are removed from any Rapid7 Command Platform groups that aren't included in the SAML assertion. IdP users retain any roles or permissions that are assigned directly to them, including those inherited from a default access profile.

Configure user groups in the Rapid7 Command Platform

In the Rapid7 Command Platform, group synchronization is managed through user groups. Ensure that you've configured the user groups before you activate them. See How to create and manage user groups for more information.

Add group attributes in Okta

Ensure that users are assigned to user groups that have the same name as the corresponding Rapid7 Command Platform user group. If you haven't already created these groups, follow these steps:

  1. In the Okta Admin Console, go to Directory > Groups.
  2. Click Add group.
  3. Enter the same name as the corresponding Rapid7 Command Platform user group.
  4. Click Save.
  5. On the group's People tab, click Assign people.
  6. Click + beside the users you want to assign to the group.
  7. Click Done.

Configure the group attribute in Okta

Once your groups are configured, you need to configure the rbacGroups attribute in the SAML assertion that includes the names of the groups each user is assigned to.

  1. In the Okta Admin Console, go to Applications > Applications.
  2. Search for and select the Rapid7 InsightAppSec app integration.
  3. Go to the Sign On tab.
  4. Go to the SAML 2.0 Configuration section and click More details.
  5. Select Matches regex from the Filter menu, and then enter .*.
  6. Click Next, and then click Finish.

Group synchronization now occurs automatically during SSO authentication, using data that's sent directly from your IdP.

Activate group synchronization in the Rapid7 Command Platform

Activate group synchronization after you've configured your Rapid7 Command Platform user groups with your corresponding Okta user groups. Once group synchronization is activated, group memberships sync on each sign-in event. Consequently, IdP group updates won't reflect in the Rapid7 Command Platform until the next time the user signs in.

See Group Synchronization for more information.

Verify SP-initiated SSO

  1. Go to https://insight.rapid7.com/login?sso=true.
  2. Enter your email and click Next. The browser redirects you to your org's Okta sign-in page.

Supported SAML attributes

The Rapid7 InsightAppSec app integration supports the following SAML attributes:

Name Value
First Name user.firstName
Last Name user.lastName
Email user.email