Both SAML and LDAP (Identity Providers) can be used to authenticate users to the Alert application. Before users can authenticate using SAML or LDAP, you must configure both the external system Identity provider (IdP) and the Alert application.
The following list describes the contents of this page.
| Table of Contents | ||
|---|---|---|
|
LDAP or SAML user authentication workflow
The following is a high-level overview of the workflow for LDAP and SAML user authentication.
...
When users authenticate through LDAP or SAML to log into Alert for the first time, they are added to the Alert database. The Alert administrator can assign roles for the users on the User Management page. As of Alert 6.3.0, LDAP and SAML user's that login into Alert now have the ALERT_USER role assigned to them on first login, by default.
How LDAP and SAML work in Alert
LDAP
Users log into Alert where they are added to the Alert system with the most restricted access to Alert.
After the user has logged in initially to Alert, a System Administrator can assign the user roles. The next time the user logs in they will have their access privileges based on the roles assigned to them.
...
In Alert versions 5.2.0 and later, the authentication functionality was moved from the Settings page to the Authentication page.
On the Authentication page in Alert versions 5.2.0 and later, you can expand and collapse the LDAP, SAML, and User Management (removed in Alert 6.0.0)configuration settings.
Click + to expand or - to collapse the LDAP Configuration, SAML Configuration.
LDAP configuration in Alert
Alert can authenticate users through LDAP.
...
Click Test Configuration > + LDAP Configuration and enter the user name and password to test LDAP authentication.
Click Send Test Message to test the authentication.
...
SAML configuration in Alert
Alert supports Security Assertion Markup Language (SAML) authentication. Only one SAML application can be connected to Alert at any time.
For Alert to work properly, roles must be assigned to SAML attributes. Each identity provider is different regarding the assignment of SAML attributes. However, Alert requires the SAML attribute AlertRoles. The AlertRoles must be a list of roles that Alert recognizes. ALERT_ADMIN is currently the only role that should be on the list.
...
To use the standard Alert login functionality (i.e. login as a user stored in the Alert database rather than an external system) when SAML is enabled, append the query parameter ?ignoreSAML=true to the Alert URL in the address bar.
WARNING: Always be sure to secure the passwords of users created in Alert including the default Alert users (sysadmin, jobmanager, alertuser).
The Authentication tab under SAML Configuration enables filling in some of the form fields based on the SAML configuration from the chosen Black Duck server (if a SAML configuration exists).
| Info |
|---|
Synopsys recommends that only Alert administrators have the attribute for the ALERT_ADMIN role set. All other users should have their roles managed in the Alert user interface. |
...
SAML Enabled: Select the checkbox to enable SAML. If true, Alert attempts to authenticate using the SAML configuration.
Force Auth: Select the checkbox to enable force auth. If true, the forceAuth flag is set to true in the SAML request to the identity provider (IDP). Check with your identity provider to verify support for force auth.
Identity Provider Metadata URL: The metadata from the external identity provider.
Identity Provider Metadata File: In Alert versions 5.1.0 and higher, you can upload a metadata XML file for SAML in the settings configuration. You can configure a URL if the IDP provides a URL or you can download a metadata XML file and upload it to the server.
Click Browse to select your XML file.
Click Upload.
The Upload input field also includes the ability to remove the uploaded SAML XML configuration file from the server. Click Remove Uploaded File to remove the uploaded file from the server.
Entity ID: The entity ID of the server provider. This is the audience defined in Okta.
Entity Base URL: The URL of your Alert system.
Sign Assertions: Select the checkbox to sign the assertions for SAML.
Click Save.
To test your SAML configuration when your SAML configuration is enabled.
...
| Info |
|---|
Only one SAML application can be connected to Alert at any time. |
...
Disabling SAML
There are two methods for disabling SAML authentication.
...
Disable SAML by setting the environment variable ALERT_SAML_DISABLED=true.
Restart Alert.
User role mapping
In Alert 6.0.0 the User Role Mapping form was removed from the Authentication page.
...
Both for LDAP and SAML, Alert still grants privileges for the corresponding default Alert roles (ALERT_ADMIN, ALERT_JOB_MANAGER, and ALERT_USER) if the user has been assigned the following:
LDAP group names:
ROLE_ALERT_ADMIN
If a user belongs to this group they have ALERT_ADMIN role privileges along with any other role privileges assigned to the user in the Alert user interface.ROLE_ALERT_JOB_MANAGER
If a user belongs to this group they have ALERT_JOB_MANAGER role privileges along with any other role privileges assigned to the user in the Alert user interface.ROLE_ALERT_USER
If a user belongs to this group they have ALERT_USER role privileges along with any other role privileges assigned to the user in the Alert user interface.
SAML attribute mapping
ALERT_ADMIN
If a user contains the "AlertRoles" attribute containing a value of "ALERT_ADMIN" then ALERT_ADMIN role privileges are granted along with any other role privileges assigned to the user in the Alert user interface.ALERT_JOB_MANAGER
If a user contains the "AlertRoles" attribute containing a value of "ALERT_JOB_MANAGER" then ALERT_JOB_MANAGER role privileges are granted along with any other role privileges assigned to the user in the Alert user interface.ALERT_USER
If a user contains the "AlertRoles" attribute containing a value of "ALERT_USER" then ALERT_USER role privileges are granted along with any other role privileges assigned to the user in the Alert user interface.
The SAML Role Attribute Mapping field enables a user of Alert to configure another SAML attribute other than the default "AlertRoles" attribute to contain the Alert role information. This is intended for Alert system administrators logging in by using SAML.
The SAML attribute in the Attribute Statements that contains the roles for the user logged into Alert.
...
Cumulative effect of adding role assignments in SAML and LDAP
The user role from external systems such as SAML or LDAP is added to the current role configuration in the Alert database for the logged-in user.
...
| Info |
|---|
Synopsys recommends that only Alert administrators have the attribute for the ALERT_ADMIN role set. All other users should have their roles managed in the Alert user interface. |
SAML examples
The following examples show how roles were assigned in SAML before the User Management page was added to manage users and roles.
As of Alert 5.3.0 and later, Alert administrators should create, update, and assign roles using the User Management page. Alert administrators can still set the attribute for the ALERT_ADMIN role set for themselves so that they can log in to Alert with full administrative privileges.
...
ALERT_ADMIN
ALERT_JOB_MANAGER
ALERT_USER
User role mapping configuration
Alert versions 5.3.0 and later have the following user roles:
...
If the user belongs to an LDAP group that matches the name input into one of the following fields, then Alert grants the user access to Alert, according to the mapped Alert role.
Fields for user roles
Admin User Role Name: The LDAP group name or SAML role attribute value to grant access as an administrator in Alert.
Job Manager Role Name: The LDAP group name or SAML role attribute value to grant access as a job manager in Alert.
User Role Name: The LDAP group name or SAML role attribute value to grant access as a user in Alert.
...