Access Control - Settings Tab (v2.0 and up)
The Settings tab enables the Access Control Admin or Access Control Manager user to set up and define general settings for SMTP and Domain Management, as well as settings for LDAP and SAML.
This section contains the following pages:
Settings Tab - General Settings (v2.0 and up)
General Settings allows the Access Control Admin or Access Control Manager user to set up and define the system’s general settings for SMTP and Domain Management.
To enter the Settings page, click the Settings tab. The General Settings page is displayed.
 |
Configuring General Settings (General Tab)
On the General Settings page, you can configure the following:
SMTP Server settings
Domain Management settings
SMTP Server Settings
The SMTP Server can email administrators about access control changes and alerts. First, however, you need to configure the SMTP settings that the server uses to send these emails.
Notice
Users cannot reset their password using the ‘Forgot Password’ option if the SMTP server is not configured.
For post-migration to access control 2.0, there will be two places to configure SMTP settings:
For access control for 'Forgot Password' use cases.
For SAST return emails, see General Settings>SMTP Settings in Application Settings.
The General Settings page – SMTP Settings section provides the following information fields/options.
Field | Description | |
|---|---|---|
Host (Outgoing Mail Server) * | Enter the name or IP address of the outgoing mail server. | |
Port * | If you are not using the default SMTP port 25 (if encryption is not used), you can change the SMTP port value. | |
Encryption Type | SSL – Enable SSL to ensure the connection to your mail server is encrypted and secure. TLS – Enable TLS for a more advanced and secure version of SSL. None – to connect to your mail server without encryption | |
Send from address * | Enter the address that will send the email (e.g., [email protected]). | |
User default credentials | Check to use the default credentials. | |
User Name and Password | Optionally, enter the SMTP user name and password for your pre-configured SMTP server account. | |
Send Test Email | Once the settings are defined, use this option to validate the connection. Validation is performed by sending and receiving a test email.
|
* indicates required field
Enter all the required information, then click Send a Test Email to ensure SMTP connectivity. A message informs you of the test status.
Upon notification of a successful email test, click Update to save the settings.
 |
Domain Management Settings
Used for LDAP-enabled SSO login and user authentication, from the Domain Management settings, you manage existing and new domains.
The General Settings page – Domain Management section provides the following information fields/options.
Field | Description | |
|---|---|---|
Domain Name | The (short) domain name | |
DNS Domain | The Fully Qualified Domain Name (FDQN) | |
Add | Click to add a new domain. | |
Name* | Enter the short domain name, which can be determined by running “Echo %userdomain%” in the command prompt. | |
DNS Domain* | Enter the Fully Qualified Domain Name (FDQN), which can be determined by running "echo %userDNSdomain%" in the command prompt. | |
| For editing the domain. Click the icon and edit as needed, then click UPDATE. | |
| To remove the domain. Click the icon, then on the confirmation message, click REMOVE. |
* indicates a required field
 |
Settings Tab - LDAP Server Settings (v2.0 and up)
LDAP Server Settings allows the Access Control Admin or Access Control Manager user to set up and define settings for LDAP servers.
Configuring LDAP Server Settings (LDAP Page)
LDAP (Lightweight Directory Access Protocol) is an Internet protocol that Web applications can use to look up information about users and groups from the LDAP server – such as authentication, authorization, group, and role mapping. Connecting to an LDAP directory server is useful if user groups are stored in a corporate directory. Synchronization with LDAP allows for the automatic creation, update, and deletion of users and groups in the Checkmarx product according to any changes being made in the LDAP directory.
You can configure one or more LDAP servers in the system.
Configuring a New LDAP Server
To configure a new LDAP server, go to the Settings tab > LDAP (LDAP Settings) page.
 |
Click Add New LDAP Server. The LDAP Servers > Server Settings tab is displayed.
Notice
Three tabs can be configured for the LDAP server: Server Settings, Directory Settings (required), and Synchronization (optional, disabled by default). Each tab displays the default (but changeable) attributes in its respective fields – according to the directory type selected.
LDAP Settings – Server Settings Tab
The first of three tabs to configure on the LDAP Servers page is Server Settings, where you configure the LDAP server connection settings.
 |
The LDAP Settings > Server Settings page provides the following information fields/options.
Field | Description |
|---|---|
Enable LDAP Server | Toggle to enable/disable the LDAP server. NOTE: Disabling the LDAP server will prevent the users of this LDAP server from logging into the system. It will still be possible to manually add users and map LDAP groups to roles. |
Server name * | Enter the name of the LDAP server. NOTE: This name will also be used on the login page. |
Host name * | Enter the LDAP server hostname. For exampl*e: ldap.company.com |
Port * | Enter the LDAP server port. For example: 389, 636 (for SSL) |
User name & Password * | Enter the credentials of the binding user (LDAP bind username and bind password). NOTE: The user needs at least read permissions to the LDAP directory. The username can be in the following formats: <domain\username> or <username@domain> or <full user DN> For example: [email protected] or cn=user,dc=domain,dc=name |
Use SSL | Check this to connect to the LDAP server using SSL encryption. |
Verify SSL certificate | Check this to verify the SSL certificate. NOTE: If you use an untrusted certificate, you can cancel the certificate verification to pass the connection. SSL will still be used, and the network will be encrypted. |
* indicates required field
After entering all information, click Test Connection to validate the LDAP connectivity. A message informs you of the test status.
Upon a successful connectivity test, click Save, and then configure in Directory Settings.
LDAP Settings – Directory Settings Tab
The second tab to configure on the LDAP Servers page is Directory Settings.
Example of Directory Settings page, for the directory type Active Directory:
 |
The following is an example of Directory Settings page for the directory type Open LDAP:
 |
The LDAP Settings > Directory Settings page provides the following information fields/options.
Field | Description |
|---|---|
Directory Type * | Select from the options Active Directory, Open LDAP, Custom LDAP Server. Server attributes are automatically populated according to default settings. |
Enable SSO | NOTES:
|
Domain * | Select a Windows domain to map the LDAP server to. NOTES:
|
Base DN * | The LDAP root node for searching users. |
Additional User DN | Limits user search to specific DN (to optimize the search time). The additional user DN is appended to the base DN. NOTE: Do not repeat the base DN in this field. |
User Object Class * | The LDAP user object class type to use when loading users. |
User Object Filter * | The filter expression to use when searching user objects. |
Username Attribute * | The attribute field to use on the user object |
User First Name Attribute * | The attribute field to use when loading the user’s first name. |
User Last Name Attribute * | The attribute field to use when loading the user’s last name. |
User Email Attribute * | The attribute field to use when loading the user’s email |
* indicates required field
After entering all information, click Test User Schema to check the connection to the LDAP server and validate the user schema settings and attributes. A message informs of the test status.
Upon a successful user schema test, click Save and configure in Synchronization .
LDAP Settings – Synchronization Tab
The third tab to configure on the LDAP Servers page is Synchronization.
 |
Notice
The "Enable Default Team" and "Enable Default Role" capabilities are available only from CxSAST 9.0 HF8.
Field | Description |
|---|---|
Synchronization enabled/disabled | If synchronization is disabled, users must be created manually (via Import from Directory only), as there is no information about roles and teams to create them. Enabling synchronization enables the creation of new LDAP users who will be automatically assigned to roles and teams according to their LDAP mapping. NOTE: If synchronization is disabled, login can only be performed using existing LDAP users. If synchronization is enabled, a user can easily log in with only a name and password. |
ROLE AND TEAM MAPPING | |
Enables defining the default role(s) and team(s) to be assigned to newly-created LDAP-based users. | |
Default Role & Default Team * | Define the default role and team assigned to newly created, LDAP-based users. NOTE: A default team (but not a default role) must be selected when synchronization is enabled. In the Hierarchy tree, you can search for a specific team by any string within the team information (see Hierarchy Tree Team Search). These defaults (for Role and Team) will be used if no Advanced Team and Role Mapping are defined for a current user trying to log in. |
Automatically update user role and team upon login | If checked, a user’s role and team will be automatically updated upon login, according to default or Advanced Team and Role Mapping. NOTE: If this feature is not checked, a user's details will only be updated once – at the first login. |
Periodically sync user availability | If checked, then every 24 hours, all LDAP users (usernames) deleted from the LDAP server will be deactivated in Access Control (therefore freeing up those licenses). A red indicator next to a user’s name (on the list of users – User’s tab) indicates the user has been deactivated:  NOTE: If the connection to the LDAP server fails, the deleted users will not be deactivated in Access Control. |
Advanced Team and Role Mapping | Enables mapping roles and teams to LDAP groups. Enables a user’s role to be set according to specific LDAP group DNs automatically. Enables the user to automatically be assigned to a team according to LDAP mapping configuration (see here > LDAP Group Mapping). |
Enable Default Team | When advanced Team and Role Mapping is enabled – it enables or disables Default team mapping. |
Enable Default Role | When advanced Team and Role Mapping is enabled – it enables or disables Default role mapping. |
GROUP SCHEMA SETTINGS | |
Enables defining the search of LDAP groups that can be mapped to teams (see here > LDAP Group Mapping). | |
Additional Group DN | [Optional]: The Additional Group DN (appended to the Base DN) reduces the search scope to a specific DN when searching for groups. NOTE: Do not repeat the Base DN in this field. |
Group Object Class | Used for team mapping, it defines the group object class and limits group searching to a specific DN. NOTE: Required if Synchronization and Advanced Team and Role Mapping are enabled. |
Group Object Filter | Used for team mapping, Group Object Filter is an LDAP filter expression for use when searching groups. NOTE: Required if Synchronization and Advanced Team and Role Mapping are enabled. |
Group Name Attribute | Used for team mapping, Group Name Attribute is an attribute in LDAP defining a group’s name. NOTE: Required if Synchronization and Advanced Team and Role Mapping are enabled. |
MEMBERSHIP SCHEMA SETTINGS | |
Enables defining the attributes that associate the LDAP users with their assigned teams. | |
Group Members Attribute (member) | An LDAP member attribute, which is multi-value, contains a list of unique names for users in the team (user DNs), as well as group and contact objects that are members of the group. It is used to determine the logged-in user groups to perform the right mapping to roles and teams. NOTE: Required if Synchronization and Advanced Team and Role Mapping are enabled. |
User Membership Attribute (memberOf) | An LDAP memberOf attribute, which is multi-value, contains all the groups the current user is a member of (group DNs). If designated, this attribute replaces the Group Members Attribute for determining the logged-in user groups (taking the groups the user belongs to straight from the user entry instead of searching inside every group). |
ADVANCED ROLE MAPPING | |
Define what role(s) the users in specific LDAP group(s) will be assigned (mapped) to. Multiple roles can be assigned to the same LDAP Group DN. 1. Click Edit Advanced Role Mapping. 2. Click the arrow in the Cx Role field and select a role from the options. 3. In the LDAP Group DN field, use a semicolon to separate multiple group entries. Examples: cn=dev;ou=grp;dc=my;dc=org;cn=qa;ou=grp;dc=my;dc=org 4. Repeat this procedure for each LDAP group—role mapping. 5. Click Update. | |
* indicates required field
After you have finished configuring synchronization settings (or if you have disabled synchronization), click Test User & Group Schema to check the connection to the LDAP server, validate the user schema settings and attributes, and validate the group. A message informs of the test status.
Click Save.
Editing an LDAP Server Configuration
To edit an existing LDAP server configuration, go to the Settings tab > LDAP (LDAP Settings) page.
 |
Click EDIT. The LDAP Servers > Server Settings tab is displayed.
Edit as needed in any of the three tabs: Server Settings, Directory Settings, Synchronization.
Be sure to test the connection, user schema, and user & group schema as applicable, and click SAVE on every tab that has been edited. See Configuring a New LDAP Server above.
 |
Deleting an LDAP Server Configuration
Danger
Deleting an LDAP server configuration will remove all associated user data.
To delete an existing LDAP server configuration, go to the Settings tab > LDAP (LDAP Settings) page.
 |
For the LDAP server configuration you want to delete, click its delete icon 
, and then on the confirmation message, click DELETE.
Creating LDAP Users in CxSAST
After configuring the LDAP server with SAST, you can import LDAP users into SAST.
Go to the Users tab.
Click Add User.
On the pop-up, click Import From Directory.
Search for the user you want to import from the LDAP directory and press Enter.
Login using LDAP Single Sign-on
Login using LDAP single sign-on can be performed from the CxSAST web interface as follows:
Access the CxSAST web interface using the Checkmarx Portal shortcut on the Desktop or navigate to the Checkmarx folder.
On the Login screen, for the Sign-in method, select LDAP.
 |
NOTE- The LDAP Login option is only available in the CxSAST Login screen if LDAP is enabled in the LDAP configuration (Access Control > Settings > LDAP > LDAP Servers > Server Settings> Enable LDAP Server).
 |
Settings Tab - SAML Settings (v2.0 and up)
SAML Settings allows for the Access Control Admin or Access Control Manager user to set up and define settings for SAML.
Configuring SAML Settings (SAML Page)
Security Assertion Markup Language (SAML) is an XML-based format for exchanging user authentication and authorization data between SAML Identity Provider/s (IdP) and a SAML Service Provider. CxSAST has just become SAML 2.0 aware and can now be configured to act as a SAML 2.0 Service Provider. SAML supports the user lifecycle by retrieving users from the Identity Provider and defining them in CxSAST. SAML is used for Single-Sign-On (SSO), is configurable for team & role mapping, and allows for more centralized and enhanced user management.
Configure one or more SAML identity providers (IdPs) in the system.
To configure SAML, go to the Settings tab > SAML (SAML Settings) page:
 |
Notice
For additional information on SAML configuration (for v9.0.0 and up), such as SAML Service Provider settings, SAML Identity Provider settings and SAML Single Sign-On with OKTA, see Single sign-on with OKTA and SAML.
SAML Settings – Identity Providers
The first of two SAML Settings tabs to configure is Identity Providers.
Click the Add Identity Providers link. The Add New SAML Provider page is displayed, where you can configure one or more identity providers in the system.
 |
The Identity Providers page provides the following information fields/options for configuring a new SAML IDP:
Field | Description |
|---|---|
ADD NEW / EDIT SAML IDENTITY PROVIDER (IdP) | |
Configure one or more new SAML identity providers in the system. SAML will be used as a single sign-on login and can be configured for user authentication, team, and role mapping. | |
Enable SAML | Toggle to enable/disable SAML. |
Identity provider display name | Enter the display name of the SAML IDP server. Example: CxSAML |
Issuer (identity provider) | The unique identifier of the IDP is usually contained in the URL of the IdP. In certain SAML implementations, it is called “entity Id.” This parameter is provided by the IdP setup information under ‘Identity Provider Issuer’. Example:https://srvl.idpname.com/mypageUnlink |
Single Sign-On URL | The IdP login location to where SAML requests will be sent. This parameter is provided by the IdP setup information under ‘Identity Provider Single Sign-On URL'. Example:https://srvl.idpname.com/app/checkmarxdev/sso/saml |
Logout Redirect URL | The location to where logout instances will be redirected. Example:https://srvl.idpname.com/apps |
Error Redirect URL | The location to where error instances will be redirected. |
IdP Certificate File | This is the public key (X.509 certificate) from the IdP Setup instructions under ‘Download Certificate'. The certificate will be used to validate the SAML assertion from the IDP. |
Browse | Browse for the IdP certificate file location and navigate to the IdP certificate file (.cert) downloaded from the Identity Provider Setup instructions. |
Sign SAML AuthnRequest | Select to sign the SAML AuthnRequest. |
Request Binding | Click the Request Binding dropdown arrow and select the SAML binding protocol to use when sending the request: HTTP-Redirect or HTTP-Post |
USER AUTHORIZATION MANAGEMENT | |
Presents two options to select from – if the user authorization teams and roles will be controlled by the SAML Identity Provider or by the Access Control Application. | |
Application Authorization | By selecting this option, SAML users will be getting the default role and default team (as defined in the Default Role and Default Team fields) |
Default Role | Click the dropdown arrow and select the default role assigned to newly created SAML-based users. |
Default Team | Click the SELECT button, and then click on a team name in the window that displays. Then click SELECT TEAM. |
IdP Authorization | By selecting this option, teams, and roles managed by the SAML Identity Provider are automatically updated upon login to CxSAST/CxOSA. The definitions for the update are defined during the creation and mapping of user attributes in the SAML IDP. When the IdP Authorization option is selected, upon user login, all the teams and roles manually assigned within Access Control (via the Application Authorization option) will be overwritten with the SAML-defined teams and roles. NOTE: The teams and roles assigned per user in the SAML IDP must exist in CxSAST before the assignment. Otherwise, the user won't be assigned those teams/roles, and the user won't be able to log in to Checkmarx products. |
Click SAVE.
Notice
For additional information on SAML configuration (for v9.0.0 and up), such as SAML Identity Provider settings with OKTA, see Adding a New SAML Identity Provider in Access Control.
Editing a SAML Identity Provider Configuration
From the SAML Settings page, click EDIT on an existing SAML IDP configuration that needs editing. The Edit SAML Identity Provider window is displayed.
Edit the fields/options as needed (see the table above), and then click SAVE.
SAML Settings – Service Providers
The second of two SAML Settings tabs to configure is Service Provider.
A SAML service provider is a system entity (Checkmarx product such as CxSAST) that issues authentication assertions in conjunction with a Single Sign-On (SSO) profile of SAML.
 |
The Service Provider page provides the following information fields/options:
Field | Description |
|---|---|
SP Certificate File | The certificate will be used to sign the SAML request (default provided). |
Browse | You can browse to another SP Certificate file – but only upload P12 or PFX certification file formats that contain a private key. |
Password | The SP Certificate file password. |
Issuer (Service provider) | The unique identifier of the Service Provider (e.g., http{s}://{server}:{port}). The field must contain a valid, fully-qualified HTTP or HTTPS URL. NOTE: The provided default value can be changed. |
Download Metadata | For downloading the Access Control SP metadata configuration. This file (Cx_SAML_Metadata) can be uploaded to the IdP for easier configuration of the Access Control SP. |
Click UPDATE.
Notice
For additional information on SAML configuration (for v9.0.0 and up), such as SAML Service Provider settings, see Defining SAML Service Provider Settings in Access Control.
.