Configuration guide to allow your Developers to login seamlessly from your corporate environment.
- Prerequisites
- SSO Technical Configuration
- Supported SSO Authentication Modes
- Default Mapping
- Sample SAML Response
Pre-requisites
In order for Secure Code Warrior to support SSO, your organisation must be running a SAML v2.0 compliant identity provider (IDP). Secure Code Warrior supports.
- Real-time provisioning of users
- Service Provider (SP) initiated and Identity Provider (IDP) initiated SSO
Process
- You will need to contact support to enable SSO on your account.
- Metadata exchange with Secure Code Warrior
- Confirm configuration with SSO testing guide
SSO Technical Configuration
Metadata URL
- Production (US) - https://portal-api.securecodewarrior.com/auth/sso/metadata.xml?d=<company_domain>
- Production (EU) - https://portal-api.eu.securecodewarrior.com/auth/sso/metadata.xml?d=<company_domain>
- Test - https://customertest-api.securecodewarrior.com/auth/sso/metadata.xml?d=<company_domain>
replace <company_domain> with the domain of the email addresses that will be used by the end-users. e.g. for user@samplecompany.com this would be “samplecompany.com”
Assertion Consumer Service (ACS) URL
- Production (US) - https://portal-api.securecodewarrior.com/auth/sso/saml?d=<company_domain>
- Production (EU) - https://portal-api.eu.securecodewarrior.com/auth/sso/saml?d=<company_domain>
- Test - https://customertest-api.securecodewarrior.com/auth/sso/saml?d=<company_domain>
replace <company_domain> with the domain of the email addresses that will be used by the end-users. e.g. for user@samplecompany.com this would be “samplecompany.com”
Entity ID
- Production (US) - https://portal-api.securecodewarrior.com
- Production (EU) - https://portal-api.eu.securecodewarrior.com
- Test - https://customertest-api.securecodewarrior.com
Login URL
- Production - https://portal.securecodewarrior.com/
- Test - https://customertest.securecodewarrior.com/
Audience Restriction
- Production (US) - https://portal-api.securecodewarrior.com
- Production (EU) - https://portal-api.eu.securecodewarrior.com
NameID format:
- Email address
X.509 Certificate
To encrypt SSO communications please generate and use the X.509 public certificate using the metadata above.
RelayState
Redirection to a specific screen is supported via the SAML RelayState parameter. This is typically used for IDP-initiated SSO to define a target screen to land the user on. Once the user lands on the screen, the normal platform access checks and rules will apply to determine if the user will be able to access the requested resources.
Supported SSO Authentication Modes
Secure Code Warrior supports Authentication Only and Strict modes depending upon your requirements.
- Authentication Only Mode
Recommended for organizations that want to manage users roles, teams, etc within Secure Code Warrior Platform. Authentication is managed by the organization directory services. - Strict Mode
Recommended for organizations that want to manage everything, including Secure Code Warrior Teams, Roles, etc within their own directory services. Detailed configuration for Strict Mode is outlined below
For more details about the difference between 'Authentication Only mode' and 'Strict Mode', please read Authentication Only Mode vs Strict Mode
Strict Mode - Authentication AND Authorization: Configuration Roles, Teams and Tags
Roles, teams and tags can be set on users through group membership. Pass the groups that a user is a member of in a custom attribute called “Groups” (case sensitive). The custom attribute and group name prefixes can be customised if required.
Configuring the user role (mandatory - Company Admin, Team Manager or Developer)
- Secure Code Warrior will parse the Groups list and search for Groups matching SCW_ROLE_* and the * portion will be matched against the following defined roles:
- COMPANY_ADMIN
- TEAM_MANAGER
- DEVELOPER
For example, SCW_ROLE_TEAM_MANAGER will set the user as a team manager.
Note: Multiple roles behaviour isn't supported
Configuring the team (mandatory)
A team must be specified for developers and team managers, either by setting a default team or specifying the team explicitly.
To set a default team
- As part of the security setup of SSO, your Secure Code Warrior Customer Success Manager will enable a default team if required for your specific situation.
To explicitly set a team
- Secure Code Warrior will parse the Groups list and search for Groups matching SCW_TEAM_* and the * portion will be used as the team name
For example, SCW_TEAM_Mobile Team will place the user in a team called “Mobile Team”, creating it if it does not exist. The first team found will be used.
Configuring the tags (optional)
- Secure Code Warrior will parse the Groups list and search for Groups matching SCW_TAG_* and the * portion will be added as a tag for the user
For example, SCW_TAG_Java Developer will tag the user with “Java Developer”. All tags found will be added to the user
It is also possible to map a particular user attribute to a tag by using the SCW_TAG custom attribute. This can be used for a fixed value that is already present on a user - e.g. an employee ID.
Default Mapping Feature
You can leverage this feature in 2 ways:
- If you use authentication-only mode, you can allow users who don't have an account on the platform to access the platform. These users will be assigned the default role of "developer" and will land in the default team called "Default Team."
- If you use strict mode, users who haven't been assigned to the relevant role and team groups in your IDP will be denied access to the platform. However, you can also choose to assign these users the default role of "developer" and the default team called "Default Team" if they don't have a role or team attribute in the SAML response.
Default Role | Default Team | Behavior |
On |
Off | The user will be assigned the default role 'Developer', but the team role needs to be defined in the SAML response. |
Off | On | The user will land in the default team 'Default Team', but the role needs to be defined in the SAML response. |
On | On | The user will be assigned to the default role 'Developer' and the default team 'Default Team' if both attributes aren't defined in the SAML response |
Example
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@example.com</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2017-01-01T00:00:00Z" Recipient="https://portal-api.securecodewarrior.com/auth/sso/saml?d=example.com"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2017-01-01T00:00:00Z" NotOnOrAfter="2017-01-01T00:00:00Z">
<AudienceRestriction>
<Audience>https://portal-api.securecodewarrior.com</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2017-01-01T00:00:00Z" SessionIndex="bASE64/TeXT==">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="FIRST_NAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<AttributeValue>Test_FirstName</AttributeValue>
</Attribute>
<Attribute Name="LAST_NAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<AttributeValue>Test_LastName</AttributeValue>
</Attribute>
<Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<AttributeValue>SCW_ROLE_TEAM_MANAGER</AttributeValue>
<AttributeValue>SCW_TEAM_Digital Transformation</AttributeValue>
<AttributeValue>SCW_TAG_Java Developer</AttributeValue>
<AttributeValue>SCW_TAG_Region US</AttributeValue>
</Attribute>
</AttributeStatement>
Comments
0 comments
Please sign in to leave a comment.