Single Sign-On (SSO)

OpenID Connect Integration

Create new application on IDP site for MetaDefender Core

We selected Okta IDP (https://www.okta.com/) as a supported IDP to demonstrate OIDC integration with MetaDefender Core.

1.) Sign in Okta site, and navigate to admin dashboard

2.) Add an application, select “Web” application type, and choose “OpenID Connect” for Sign on method

Making sure the new created application in ACTIVE list (e.g. Okta_OpenId)

Access to the new created application (e.g. Okta_OpenId), navigate to “General” tab, create a new secret if not existed:

Once done, expecting to have ClientID and Client secret created:

On MetaDefender Core management console, create a new user directory for SSO
  • In “IDENTIFY PROVIDER” section:
  • Fill up “Client ID” and “Client Secret” matched to what generated in IDP console:
  • On MetaDefender Console current display, type your MetaDefender Core address in “HOST OR IP” field

and a login redirect URL will be auto generated by MetaDefender Core, you will want to copy the full link to proceed:
  • Switching to Okta IDP console, paste the login redirect URL and also input the Initiate login URI

“USER IDENTIFIED BY” field:

  1. Username can be constructed by claims under profile scope
  2. Claim variable is specified by syntax ${<claim-name>}

Notes: Supported claims under profile scope are IDP specified. Please review IDP document for more details. For example, for Okta: https://developer.okta.com/blog/2017/07/25/oidc-primer-part-1
  • In “USER ROLE” section, you are supported to choose default role to map an existing MetaDefender Core local role:

Or create a custom role mapping based on RegEx:
  • Hit “ADD” button to finish creating new SSO user directory, by default the new created user directory is disabled:

You may want to enable it for SSO login fashion

Warning: This action will auto forcefully logout all current active users

Sign on using IDP authentication

Now hitting “LOGIN” button on MetaDefender Core management console upon created SSO user directory, it will auto redirect you to Okta IDP login page as expected:
  • Logged in successfully will help you are redirected back to MetaDefender Core management console:

SAML Integration

Create new application on IDP site for MetaDefender Core

We selected Okta IDP (https://www.okta.com/) as a supported IDP to demonstrate SAML integration with MetaDefender Core.

  1. Sign in Okta site, and navigate to admin dashboard
  1. Add an application, select “Web” application type, and choose “SAML 2.0” for Sign on method

Proceeding to “Configure SAML” step on SAML integration configuration, and keep this page on-hold, we need to generate some data from MetaDefender Core management console before getting back to this page later.

On MetaDefender Core management console, create a new user directory for SSO

  • Navigate to Settings > User Management
  • On “USER DIRECTORIES” tab, hit “ADD NEW USER DIRECTORY” button
  • Choose “Security Assertion Markup Language (SAML)” option for “USER DIRECTORY TYPE”
  • Type directory name at your choice
  • In “IDENTIFY PROVIDER” section, hit “FETCH” button to input IDP’s SAML designated metadata API URL (e.g. Okta could be found at https://developer.okta.com/docs/guides/add-an-external-idp/saml2/configure-idp-in-okta/)
  • In “SERVICE PROVIDER” section:
  • On MetaDefender Console current display, type your MetaDefender Core address in “HOST OR IP” field

and a login redirect URL will be auto generated by MetaDefender Core, you will want to copy the full link to proceed:
  • Switching to Okta IDP console, paste the single sign on URL and also input Audience URI, check “Use this for Recipient URL and Destination URL” option

“USER IDENTIFIED BY” field:

  1. Username can be constructed by attributes set by IDP, or
  2. Defined by customer on IDP site

Please review IDP document for more details. For example, for Okta: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm
  • In “USER ROLE” section, you are supported to choose default role to map an existing MetaDefender Core local role:

Or create a custom role mapping based on RegEx:
  • Hit “ADD” button to finish creating new SSO user directory, by default the new created user directory is disabled:

You may want to enable it for SSO login fashion

Warning: This action will auto forcefully logout all current active users

Sign on using IDP authentication

Now hitting “LOGIN” button on MetaDefender Core management console upon created SSO user directory, it will auto redirect you to SAML IDP login page as expected:
  • Logged in successfully will help you are redirected back to MetaDefender Core management console:

Backup Login

MetaDefender Core provides a backup login page to cover following circumstances:

  • Mis-configured with SSO user directory, and now it locks everyone (including local admins themselves) out of MetaDefender Core management console access
  • Provide local admin users an method to disable SSO authentication

URL: <MetaDefender Core server address>:<port>/#/public/backuplogin

For example: http://192.168.200.143:8008/#/public/backuplogin

Note: This URL is only available and accessible only when at least one SSO user directory enabled.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Engines Update Configuration
On This Page
Single Sign-On (SSO)OpenID Connect IntegrationCreate new application on IDP site for MetaDefender CoreOn MetaDefender Core management console, create a new user directory for SSOSign on using IDP authenticationSAML IntegrationCreate new application on IDP site for MetaDefender CoreOn MetaDefender Core management console, create a new user directory for SSOSign on using IDP authenticationBackup Login