[-]
  
[-]
  
  
  
  
  
  
  
 
[-]
  
  
  
  
[-]
  
 [+]
  
[-]
Monitoring
  
 [+]
 [+]
 [+]
  
[-]
Monitoring guides
  
  
[-]
Templates
  
  
  
[-]
Cloud monitoring
 [+]
  
  
 [+]
Kubernetes
[-]
Network checks
 [+]
  
  
  
[-]
 [+]
  
  
  
  
  
  
 [+]
 [+]
 [+]
 [+]
[-]
CounterMeasures
  
 [+]
 [+]
  
  
[-]
Panopta OnSight
 [+]
 [+]
[-]
SNMP
 [+]
  
[-]
Alerting
 [+]
 [+]
 [+]
 [+]
 [+]
[-]
Reporting
  
  
  
[-]
Maintenance
  
  
[-]
API
  
  
  
  
[-]
Users, Groups, and Authentication
 [+]
  
  
  
[-]
Billing and Payments
  
  
  
  
  
  
 
[-]
  
  
  
  
  
  
  
  
  
  
  
  
Updated on 7/26/2019
Online Help
Single sign-on (SSO)
Direct link to topic in this publication:
  • Users, Groups, and Authentication
  • ยป
  • Single sign-on (SSO)

SSO allows your organization to utilize it's internal authentication tool to authenticate with and login to Panopta. This guide will walk you through integrating with a generic SSO provider, such as Simple SAML. You can also find docs specifically for ADFS and Okta.

Control Panel Configuration

Navigate to the Integrations page by selecting Settings from the global navigation bar, followed by selecting Integrations. Here, you will find the Single Sign On section. Select configure on the SAML card.


General

FieldDescription
URL Fragment

Customer-provided string that will determine the login URL for your Panopta account, the format of my.panopta.com/sso/{url fragment}

For example, if you were to enter panopta, your login URL would be my.panopta.com/sso/panopta. Alpha characters only.

Username                     
Field in your SAML payload that matches a user's Panopta login email. This is email for most customers.
Entity ID
URL that provides your IDP metadata.
Login URL

The URL we redirect the user to when the user arrives at your Panopta SSO login.

For instance, if a user visits your Panopta SSO URL which is built is the the URL Fragment configured in step 1, the Login URL is the address we would then redirect them to where they authenticate with your SSO tool

Login Binding
This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.
Logout URL (optional)
URL to redirect the user upon logout request.
Logout Binding
This is a colon separated sequence of strings. For example, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect. It is generated by your SSO tool.

Certificate

A valid x509 certificate. Ensure it is copied with out extra whitespace.

User Configuration


FieldDescription
Prevent non-SSO logins

Enabling this option prevents users from logging in to Panopta with their email address and password. This setting can be overwritten in the account level. To override the setting, see Mixing login types.

Information Note: Leave this box unchecked until you have confirmed that your SSO configuration is working properly. 
New User NotificationsSelect the user account to notify when an SSO user signs on for the first time to Panopta.
Auto Create Users

Leave this box unchecked if you want to require admin approval before a user can use Panopta. Once a user logs in for the first time, those selected in the User Emails select list will receive a notification email. They can follow the link in the email to grant the new user access. Until they do this, the user will not be able to access Panopta - they will merely see a splash screen when they login.

You can view all users who are waiting for approval under the "Pending" users tab on the Users and Groups page.

If you prefer to let users immediately begin using Panopta upon login, check this box.

Default Roles for New Users

There are two options when the Auto Create Users option is enabled:

  • Assign roles manually: If you're automatically creating the user the first time they login via your SSO integration, they can optionally be assigned any number of roles by default.
  • SSO-based roles (Assign roles based on SAML mapping):

    If you're sending your internal roles in your SAML payload, you can map those to specific roles in Panopta.

    • In the SAML Role Field provide the payload key that corresponds to your internal roles in your SAML payload.
    • In the SAML Role, enter the internal role you'd like to target. Please only enter one role
    • In the Panopta roles to assign dropdown, select the roles you'd like the user to have in Panopta

    You can create as many mappings as needed.


Mixing login types

Sometimes it is valuable to allow non-SSO users to still login to your company's Panopta account - especially if you leverage outside resources. To allow certain users to still login via email and password, check the "Allow Non-SSO Login" checkbox. This option can be found by editing the user - go to Settings > Users, Groups & On-Call, then edit the desired user. The option is on the first pane.

SSO configuration for Multi-tenant users

If you are a multi-tenant user, you have the option to apply your SSO configuration to all sub-accounts. You can find the following option under the User Configuration module on your master tenant account:

Select the Use for all sub-accounts option to use a single SSO configuration for all your sub-accounts/tenants. Settings configured in the master tenant account such as New User notification, Default Timezone, and Auto Create Users are also applied to all other tenants. All created users are automatically added to the correct tenant.