Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Bitsight-AZURE Integration Guide

Avatar
Ingrid
Follow
  • April 21, 2023: Lowercase “s” for “Bitsight.”
  • February 27, 2023: Added the SAML sign-in process.
  • April 26, 2022: Minor corrections; Added directory to sections.

The cloud IDP service by AZURE, a cloud version of an Active Directory Federation Service (ADFS), integrates with the Bitsight platform single sign-on (SSO) service. Refer to the following guide to integrate the Bitsight platform single sign-on (SSO) service with the AZURE cloud IDP service.

Getting Started

  1. Start the SAML Sign on method from the Azure dashboard.
  2. Go to the Azure Active Directory from the left navigation menu.
  3. Select the Enterprise Applications option.
  4. Create a new Non-gallery application.
  5. Select the SAML sign-on method.

Basic SAML Configuration

  1. Go to the SAML page in the Bitsight platform.
  2. Take note of your organization’s Entity ID [entity_guid] and Assertion Consumer Service URL [acs_guid].
  3. Add the following information to the Basic SAML Configuration section in Azure:
    *Required.
    Field Value
    Identifier (Entity ID) https://service.bitsighttech.com/saml/entity_guid
    Reply URL (Assertion Consumer Service URL) https://service.bitsighttech.com/saml/acs/acs_guid
    Sign on URL https://service.bitsighttech.com/sso/vanity_name

User Attributes & Claims

Select the Edit button at the top-right of the User Attributes & Claims section. Be sure to remove the Microsoft predefined claim names and define them specifically for the Bitsight platform.

Claim name Value
Unique User Identifier (Name ID) user.mail
urn:oid:0.9.2342.19200300.100.1.3 user.mail
urn:oid:2.5.4.3 user.givenname
urn:oid:2.5.4.4 user.surname

Refer to the following conditions for the Manage claim page:

*Required.

Field Value
Name

URI identifier.

Example: urn:oid:0.9.2342.19200300.100.1.3
Namespace Leave blank.
Source Attribute
Source attribute user.mail

Optional Attributes (Not Required)

Format: urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Attribute/Value Description Name
Full Name This can be specified in place of the last name field if the user’s name is not of the form, “Firstname Lastname.” urn:oid:2.16.840.1.113730.3.1.241
User Group This specifies the user’s group. If the group does not already exist, it will be created and will initially be empty. If not specified, the default group is used. urn:oid:1.3.6.1.4.1.50993.1.1.1
User Role

This specifies the user’s role in the Bitsight platform. The user’s role will be a standard user role. Otherwise, it must be one of these strings:

Ensure the string values are an exact match, including the spaces.

  • Customer User
  • Customer Admin
  • Customer Group Admin
  • Customer Portfolio Manager
 urn:oid:1.3.6.1.4.1.50993.1.1.2

Downloading and Uploading Metadata

Once you have configured SAML and configured the user and attribute claims, you can now download the metadata from Azure (.xml) and upload it to the Bitsight platform.

  1. Select the Download link by the Federation Metadata XML option in the SAML Signing Certificate section in Azure.
  2. Navigate to the SAML page in the Bitsight platform.
  3. Select the Load from URL button within the SAML Metadata section.
  4. Select the XML file downloaded from Azure (step 1).

SAML

After you’ve submitted your SAML metadata, you can enable SAML by activating the Enable Configuration toggle.

Once you’ve enabled SAML for your organization and a user has logged in successfully with SAML, all existing passwords will be disabled for non-administrator users. Users will have to log into the Bitsight platform using the single sign-on URL provided on the SAML page. Administrators’ passwords will be disabled once they have logged in successfully using SAML.

Your URL will appear in the Your SAML Identity Provider (IdP) Settings for Primary section once SAML is enabled, which will contain either the Service Provider-initiated URL or an Identity Provider-initiated URL if a custom one was configured.

Signing In

SAML users must use the sign-on URL to log in. Using past credentials on the Bitsight landing page will generate an error.

  1. Once SAML setup is complete, sign in to Azure using SSO to verify user permissions.
  2. Visit the sign-on URL: https://service.bitsighttech.com/sso/vanity_name

Created Users

New users are automatically assigned the User role. If you would like to give them admin privileges, they will need to first log in to the Bitsight platform using SAML. You (the admin) can then use the Users tab in the Access Control page to change their permissions.

Default Access Control Group

When users are created using SAML, they will be placed in the default access control group. If a default group is not set, new users will have access to all companies in the portfolio.

The default group for your portfolio can be changed from the Groups tab in the Access Control page.

Managing Access Control Groups

If you’d like to move a user from their default access control group to a different group, use the Access Control page to modify a user’s group.

Disabling SAML

If you decide you no longer want to use single sign-on for accessing the Bitsight platform, you can deactivate it using the Enable Configuration toggle.

Disabling SAML will require all users, including administrators, to reset their passwords. They can reset their password using the Forgot your password? link in the login page.

Resource

Bitsight SAML Documentation

Related articles