SSO with OneLogin
With Cyral, you can authenticate database users against your OneLogin instance.
Sourcing Group Information
We recommend creating some OneLogin roles specifically for the users that should have access to Cyral.
Later on, you be able to set up fine grained access control policies based on these OneLogin roles in
Cyral. For this reason, you may choose to create multiple OneLogin roles for different levels of access.
You may also choose to use mappings to populate the newly created OneLogin roles. We recommend this approach,
as it offers the following benefits:
- Source users from multiple external directories or trusted IdPs.
- Simple and easy to manage who has access to Cyral.
- Create and delete groups of users with no side-effects for other applications.
- Control the groups that Cyral knows about-- keep your internal group names private.
In Cyral management console, create a SAML integration
Create a new SAML integration: Log in to your Cyral control plane UI, navigate to the Integrations section, find the SAML integration tile, and click Configure.
Create a new SAML connection:
- Specify a Display Name. This display name is used to identify the IdP to the user when they log in.
- In Attribute Names in SAML Assertion section, accept the defaults.
- Enable IdP-initiated login checkbox: Set IdP-initiated login to
ONto give users the added option of logging in from your IdP's portal. - Click Continue
- On the next screen, download the SP metadata file. You'll need this in the next step to set up your IdP. You are free to close the page. Your SAML Integration will save as a draft, and you will be able to return to it at a later time to finish entering the required configuration values.
Create SAML IdP app in OneLogin
Perform the following steps in OneLogin.
Open the Applications menu of the OneLogin Administration Console, and add a new SCIM Provisioner with SAML (SCIM v2 Enterprise, full SAML) application.
Give the application a name, and optionally upload a Cyral logo and add a description. Click Save.
Open the SP metadata file you downloaded from the Cyral management console in the previous section. Navigate to the Configuration tab of your OneLogin SAML application. Copy the following values from your SP metadata file:
Set the SAML Audience URL in OneLogin to the Entity ID from the SP metatdata. The URL should have the following format:
https://<CYRAL_CONTROL_PLANE_DOMAIN>/auth/realms/defaultClick continue.
Set the Recipient in OneLogin using the AssertionConsumerService
element from the SP metadata that is marked as default. The URL has following format:https://<CYRAL_CONTROL_PLANE_DOMAIN>/auth/realms/default/broker/<CYRAL_CONTROL_PLANE_DOMAIN>/endpoint/client/client-<IDP_INTEGRATION_ID>Set the ACS (Consumer) URL Validator in OneLogin using the Assertion Consumer Service URL marked as default. Perform the following modifications to the URL:
* Escape all backslashes, periods, and dashes.
* Add a ^ character to the beginning of the string.
* Add a $ character to the end of the string.See these instructions for more information.
The value will have the following format after the modifications:
^https:\/\/<CYRAL_CONTROL_PLANE_DOMAIN>\/auth\/realms\/default\/broker\/<CYRAL_CONTROL_PLANE_DOMAIN>\/endpoint\/clients\/<CYRAL_CONTROL_PLANE_DOMAIN>\-client$Set the ACS (Consumer) URL in OneLogin using the AssertionConsumerService
element from the SP metadata that is marked as default. The URL has following format:https://<CYRAL_CONTROL_PLANE_DOMAIN>/auth/realms/default/broker/<CYRAL_CONTROL_PLANE_DOMAIN>/endpoint/client/client-<IDP_INTEGRATION_ID>Set the Login URL in OneLogin to the following URL:
https://$CYRAL_CONTROL_PLANE_DOMAIN/appSet the SAML Initiator to OneLogin.
Set the SAML NameID format to unspecified.
Set the SAML signature element to both.
Click Save in the top righthand corner.
Navigate to the Parameters tab of your OneLogin SAML application. Leave all default fields as is. You will additionally need to add some custom user attributes, that Cyral will extract from the SAML assertion. For each field below, select the + icon in the top right corner:
First Name: This is required. Enter
firstNameas the Field name. Ensure that the you check Include in SAML assertion. Click Save. Set the Value to be the user's first name. Click Save.Last Name: This is required. Enter
lastNameas the Field name. Ensure that the you check Include in SAML assertion. Click Save. Set the Value to be the user's last name. Click Save.Email: This is required. Enter
emailas the Field name. Ensure that the you check Include in SAML assertion. Click Save. Set the Value to be the user's email. Click Save.Group Names: This is required. Enter
memberOfas the Field name. Ensure that the you check Include in SAML assertion. Additionally, select Multi-value parameter. Click Save. Set the Default if no value selected to be theUser Roles. Click Save.
Navigate to the SSO tab of your OneLogin SAML application. Set the SAML Signature Algorithm to
SHA-256. Save the integration.Navigate to the Access tab of your OneLogin SAML application. Select the OneLogin Roles that contain the users that should have access to Cyral. Save the integration.
Select More Actions ➡️ SAML Metadata to download the IdP Metadata associated with your OneLogin SAML application.
In Cyral management console, complete the SAML integration
In this final step, you will supply the IdP Metadata you downloaded from OneLogin to the Cyral management console.
Return to your SAML integration in the Cyral management console. Upload the IdP Metadata XML file you retrieved from OneLogin.
Click Save.
Your SAML Integration is complete. You can verify it by logging into your CP using the new OneLogin integration from both the Cyral CP and your OneLogin dashboard.
Next step
See Set up SSO authentication for users for the steps to activate SSO authentication on each repository that will use it.