Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Integrating Bitsight with ADFS

Avatar
Ingrid
Follow
Publication Date – February 23, 2021

About SAML with ADFS

Integrate and enable ADFS with the Bitsight Single Sign-on (SSO) platform service using SAML.

Getting Started

  • Claims Aware – When getting started with the Relying trust Wizard select claims aware.
  • At Select Data Source – Import data about the relying party published online or on a local network or import from file using the Bitsight metadata. The Bitsight Metadata file is found in the SAML page [ Settings ➔ SAML]. Your unique SAML metadata file URL will look similar to https://service.bitsighttech.com/saml/metadata/ or https://service.bitsighttech.com/saml/<GUID>. To save this file, right click the link and select Save as. This will save the file to your local computer that you can use to upload into ADFS.
  • Display Name – Use service.bitsighttech.com
  • Set permissions level – This option should be everyone or what is required by your organizations.
  • Create Claim Rule – The integration requires a claim rule name. Select to transform UPN to outgoing claim type Name ID and Outgoing name ID format Email.
  • Set Attributes – The attributes below include the UPN claim created earlier and the additional claim in URI format. (See the Basic SAML configuration table with name attributes).

Basic SAML configuration

  1. Enter the identifier entity ID - Identifier (Entity ID) -
  2. Enter the Reply URL
  3. Enter the Sign on URL – [ Settings ➔ SAML] Your Bitsight SP-initiated login URL
Detail Contents
Identifier (Entity ID) https://service.bitsighttech.com/saml/metadata/GUID
Reply URL (Assertion Consumer Service URL) https://service.bitsighttech.com/saml/acs/GUID
Sign on URL https://service.bitsighttech.com/sso/{{vanityNAME}}/

User and Attribute Claims

When entering the user an attribute claims, you must remove the Microsoft predefined claim names and define them specifically for Bitsight the steps and screenshots below demonstrate exactly how these should be and look.

  1. The nameidentifier value should be user.mail claim can be left with the existing name space
  2. Remove the claim name for given name and replace with urn.oid.2.5.4.3mapped to user.givenname
  3. Remove the claim name for las name and replace with urn.oid.2.5.4.4 mapped to user.surname
  4. Remove the claim name for mail and replace with urn:oid:0.9.2342.19200300.100.1.3 mapped to user.mail
Claim Name Value
urn:oid:2.5.4.3 user.givenname
urn:oid:2.5.4.4 user.surname
urn:oid:0.9.2342.19200300.100.1.3 user.mail

 

Optional Attributes (Not Required)

There are three additional attributes that can be specified however are not required for this integration using ADFS these items are optional only.

Full Name. This can be specified in place of the last name field if the user's name is not of the form, “Firstname Lastname.”

Name Name Format Value
urn:oid:2.16.840.1.113730.3.1.241 urn:oasis:names:tc:SAML:2.0:attrname-format:uri Full Name

User Role. This specifies the user's role in the Bitsight platform. This field is optional (in which case the user's role will be a standard user role, or left unchanged). Otherwise it must be one of these strings:

Ensure the string values are an exact match, including the spaces.

  • Customer User
  • Customer Admin
  • Customer Group Admin
  • Customer Portfolio Manager
Name Name Format Value
urn:oid:1.3.6.1.4.1.50993.1.1.2 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Role

User Group. This specifies the user's group. If the group does not already exist, it will be created (and will be empty initially). If this is not specified, then the customer's default group is used.

Name Name Format Value
urn:oid:1.3.6.1.4.1.50993.1.1.1 urn:oasis:names:tc:SAML:2.0:attrname-format:uri User Group

 

Signature has algorithm

The final step to the Bitsight ADFS implementation is the set the hash to SHA-1 algorithm. In this step the Secure hash algorithm is changed from SHA256 ( Default ) to SHA -1.

Downloading and Uploading Metadata

Once you have configured and saved the steps above you can now download the metadata XML from ADFS and upload this to the Bitsight SAML self service portal.

  1. Select Download Federation Metadata XML from your ADFS portal Under the category SAML Signing Certificate.
  2. Go to the Bitsight app SAML page [ Settings ➔ SAML].
  3. Select Load from URL in the SAML Metadata for your IdP section.
  4. Open the file Downloaded from Step 1.

SAML Instructions

  • After you've submitted your SAML metadata, you can enable SAML.
  • New users are automatically assigned the “User” role. Have them log in to Bitsight using SAML first, and then edit their role to give them different privileges. See Edit Existing Users for instructions.
  • When users are created using SAML, they are placed in the default access control group. Edit a user's group to move them to a different group. See Edit Existing Users for instructions.
  • If you no longer want to use single sign-on, see Disabling SAML.

Related articles