Skip to main content

Configuring the Identity Provider for SAML

In this example, OKTA is used as the SAML IdP.

Creating a Service Provider Application in OKTA

To create a Service Provider application in OKTA:

  1. Navigate to https://www.okta.com/login/ and enter your organization's address. OKTA sends you your own OKTA Login screen, where you can access your account directly.

    OKTA_1.jpg
  2. Sign in to your OKTA administration account using your Username and Password credentials. The Launch Apps screen is displayed.

    OKTA_2.jpg
  3. Click <Admin> and then click Dashboard. The Dashboard screen is displayed.

    OKTA_3.jpg
  4. Click 2880570901.png Add Applications. The Add Applications screen is displayed.

    OKTA_4.jpg
  5. Click <Create New App>. The Create a New Application Integration screen is displayed.

    OKTA_5.jpg
  6. Select SAML 2.0 and click <Create>. The Create SAML Integration - General Settings screen is displayed.

    OKTA_6.jpg
  7. Add your chosen Service Provider application name into the App Name field (e.g., CxSAST via SAML).

  8. Click <Next>. The Create SAML Integration - Configure SAML screen is displayed.

    Notice

    For version 9.0, the Single Sign on URL must read https://checkmarx.corp.net/cxrestapi/auth/identity/samlAcs.

    OKTA_7.jpg
    • Single sign on URL is composed from the Checkmarx URL and “/cxrestapi/auth/samlAcs”, e.g., https://checkmarx.corp.net/cxrestapi/auth/samlAcs. This is the location where the SAML assertion is sent with a HTTP POST.

    • Audience URI (SP Entity ID) field should be populated with a unique SP identifier (a single IdP can support multiple services). By convention, Audience URI is the SP server URI, e.g., https://checkmarx.corp.net.

      Notice

      • The Entity ID must be identical in both the Service Provider and the Identity Provider.

      • Name ID parameter is required by CxSAST. This is the SAML name identifier of the user.

  9. Click <Next>, select I’m a Software Vendor. I’d like to integrate my App with OKTA option and then click <Finish>.

  10. Click Applications. The newly created application is displayed in the Applications screen.

    OKTA_77.jpg
Assigning Users to the Service Provider Application in OKTA

To assign users to the Service Provider Application in OKTA:

  1. On the Applications screen, click your application and then click the People tab. The People screen is displayed.

    OKTA_9.jpg
  2. Click <Assign to People>. The Assign <Application> to People screen is displayed.

    OKTA_10.jpg
  3. Assign a user to the application by clicking <Assign>.

  4. Click <Save and Go Back> to assign the next user.

  5. Repeat these two steps for each user.

  6. Click <Done> to save the changes.

    OKTA_99.jpg
  7. Confirm that each user has been assigned to the application.

Creating and Mapping User Attributes in OKTA

Even though most attributes are supported, First Name, Last Name and Email are mandatory attributes. These attributes are already defined (but not mapped) in OKTA. All remaining attributes are optional.

Creating Attributes in OKTA

To create attributes in OKTA:

  1. Click Directory and select 2880767861.png Profile Editor. The Profile Editor screen is displayed.

    OKTA_12.jpg
  2. Click < 2880800428.png Profile>for the new Checkmarx profile. The Profile screen is displayed.

    OKTA_13.png
  3. Click <2880570946.png Add Attribute>. The Add Attribute screen is displayed.

    OKTA_14.jpg
  4. On the Add Attribute screen, define and add the following attributes:

    Display Name

    Variable

    Data Type

    Required?

    Job

    Job

    String

    No

    Language

    Language

    String

    No

    Organization Tree

    Organization_Tree

    String

    Yes

    required for IdP Authorization only

    Is_Auditor

    Is_Auditor

    String

    Yes

    required for IdP Authorization only

    Role

    Role

    String

    Yes

    required for IdP Authorization only

    Role Attribute

    Role_Attribute

    String

    No

    required for IdP Authorization only

  5. Click <Save and Add Another> or <Add Attribute> accordingly.

Mapping User Attributes to the Service Provider (CxSAST)

To map user attributes to the service provider:

  1. Click Applications. The Application screen is displayed.

    OKTA_15.jpg
  2. Select the Application that you created (e.g., CxSAST via SAML) and click the General tab. The General screen is displayed.

    OKTA_16.jpg
  3. In the SAML Settings section, click <Edit>. The SAML Integration - General Settings screen is displayed.

    OKTA_17.jpg
  4. Click <Next>. The SAML Integration - SAML Settings screen is displayed.

    OKTA_18.jpg
  5. In the Attribute Statements section, define and add the following attributes:

    Name

    Name Forma

    Value

    Authorization Method

    First_Name

    basic

    user.firstName

    Manual and IdP Authorization

    Last_Name

    basic

    user.lastName

    Manual and IdP Authorization

    Email

    basic

    user.email

    Manual and IdP Authorization

    Job

    basic

    user.job

    Manual and IdP Authorization

    Phone

    basic

    user.primaryPhone

    Manual and IdP Authorization

    Cell Phone

    basic

    user.mobilePhone

    Manual and IdP Authorization

    Language

    basic

    user.language

    Manual and IdP Authorization

    Organization_Tree

    basic

    appuser.organizationTree

    IdP Authorization only

    Is_Auditor

    basic

    appuser.isAuditor

    IdP Authorization only

    Role

    basic

    appuser.Role

    IdP Authorization only

    Role_Attribute

    basic

    appuser.roleAttribute

    IdP Authorization only

    Notice

    For IdP Authorization, First_Name, Last_Name, Email, Organization_Tree, Is_Auditor and Role attributes are mandatory. For Manual Authorization, First_Name, Last_Name and Email are required. The remaining attributes are optional

    Notice

    For ADFS only:

    Below claim rule should be defined explicitly:

    • LDAP Attribute: SAM-Account-Name

    • Outgoing Claim Type: Name ID

  6. To add additional attribute fields, click <Add Another>.

    OKTA_19.png
  7. Once complete, click <Next>, select I’m a Software Vendor. I’d like to integrate my App with OKTA and then click <Finish>.

Adding Attributes to a Specific User

To add attributes to a specific user:

  1. Click Directory and select People. The People screen is displayed.

    OKTA_20.jpg
  2. Click Person & User Name. The selected user’s Profile screen is displayed.

    OKTA_21.jpg
  3. Click the Profile tab. The Profile screen is displayed.

    OKTA_22.jpg
  4. Click <Edit>.

  5. Once the Attribute fields become available for editing, enter a description for each attribute as outlinede in the table below.

  6. When done, click <Save> to save the changes.

Attributes

Description

First name

User’s first name (e.g., David)

Last name

User’s family name (e.g., Press)

Primary email

Primary email (e.g., [email protected])

Job

Job title (e.g., Software Engineer)

Primary phone

Primary contact telephone number (e.g., 77523632562)

Mobile phone

Contact mobile number (e.g., 052563256214)

Language

User’s preferred language (e.g., en-US (English – US) / zh-TW (Chinese - Traditional, Taiwan) / jp-JP (Japanese - Japan) / ko-KR (Korean - Korea) / zh-CHS (Chinese - Simplified))

Organization_Tree

User's organization according to the tree branch: \CxServer\SP\Company\Team

Notice

Can alsobe multiple attributes separated by ',' delimiter: e.g., \ CxServer\SP\Company1\User1,CxServer\SP\Company2\Team2

Is_Auditor

User's auditor rights (true/false)

Role

User's organizational role:

Organization_Tree > Role value Allowed

\CxServer > ServerManager

\CxServer\SP > SPManager

\CxServer\SP\Company > CompanyManager

\CxServer\SP\Company\Team or under > Scanner or Reviewer

Role_Attribute

User's role options:

  • AllowProjectAndScanDelete (Scanner role only)

  • AllowNotExploitable (Scanner role only)

  • AllowSeverityAndStatusChanges (Reviewer role only)

Notice

Can also be multiple attributes separated by ',' delimiter: e.g., AllowProjectAndScanDelete,AllowNotExploitable

Retrieving Identity Provider Setup Information

To retrieve information on the identity provider setup:

  1. Click Applications. The Applications screen is displayed.

    OKTA_23.jpg
  2. Select your Application, for example CxSAST via SAML.

  3. Once the Application screen is displayed, click Sign On. The Sign On screen is displayed.

    OKTA_24.jpg
  4. Click <View Setup Instructions>. The Setup Instructions screen is displayed.

    OKTA_25.jpg
  5. Click <Download Certificate>. The SAML certificate file (.cert) is downloaded to the default download directory. This file is used during the Configuration of SAML in CxSAST.

The following values are also used during the Configuration of SAML in CxSAST:

  • Identity Provider Single Sign-On URL, for example https://dev-396869.oktapreview.com/app/checkmarxdev238735_cxsast_1/exk7jivioeSb6n2EI0h7/sso/saml, is relevant to the Login URL field in the SAML Configuration in CxSAST.

  • Identity Provider Issuer , for example http://www.okta.com/exk7jivioeSb6n2EI0h7, is relevant to the Issuer (Identity Provider) field in the SAML Configuration in CxSAST.