Skip to main content
Skip table of contents

Login Authentication Configuration Guide

LAST UPDATED 06/19/2024

Introduction

This manual aims to guide readers in configuring login methods using the D3 Login Authentication interface. Through this interface, users can set up various login methods, including basic General Authentication (username and password on the D3 vSOC login page), as well as Identity Provider (IdP) methods like Active Directory (AD) login and SAML login. Here, users can assign specific login methods to individual users or sites.

For Managed Security Service Providers (MSSPs), each site corresponds to a customer. Due to the need for maintaining data isolation between these customers and meeting unique security requirements, it is practical to configure different Single Sign-On (SSO) login methods for each site.

In enterprises, each site typically represents different business departments or service lines – it is less common to have varied login methods. It is more customary to configure login methods based on users.

If you choose to receive assistance during the setup process, D3's support team will access your SOAR application using D3's SSO for configuration. Thereafter, enterprise users will be able to use their own SSO login methods via an assertion consumer service (ACS) URL.

Login Authentication - Certificate Tab

Navigating to the Login Authentication UI

  1. Navigate to the Configuration page.

  2. Click on the Application Settings menu item, then click on Login Authentication.

Adding a New Login Method

  1. Click on the + New Certificate button to to render the New Auth form popup.

  2. Enter a unique name for the login method in the Auth Name input field.

READER NOTE

D3 recommends recommends the following naming convention:
<Authentication protocol>-<Identity provider>-<D3 Subdomain>

  1. Select an login method in the Auth Type dropdown field.

  2. Configure the necessary parameters.

  3. Ensure the following information is available for the setup: /info

    1. Target URL: This is an embedded link obtained from an IdP like Microsoft Entra ID, Okta, or Google. It is used by the Assertion Consumer Service URL to redirect users to the IdP's login page for authenticating into D3 vSOC.
      Different IdPs have different names for this URL. For example, Microsoft Entra ID calls it “User access URL”, whereas Okta calls it “Single Sign-On URL”.

    2. Assert Consumer Service URL: This is the D3 vSOC login page link. It is generated by D3 and sent to D3 customers. It uses the Target URL to redirect users to the IdP's login page for authenticating into D3 vSOC. It conforms to the following format:

      CODE
      https://<subdomain>.<domain/server IP>/<application path>/VSOC/Login.aspx?
      
      eg. https://demo.d3securityonline.net/MainAppV2/VSOC/Login.aspx?
      
      eg. https://10.0.0.2/demopath/VSOC/Login.aspx?
    3. Certificate: This is the base64 certificate provided by your preferred SSO platform to allow the D3 vSOC application to comm/ w SSO IdP.

READER NOTE

Different IdPs have different names for this certificate. For example, Microsoft Entra ID calls it “Certificate (Base64)”, whereas Okta calls it “X.509 Certificate”.

Ensure that an IdP user is created and assigned the IdP’s SSO application.

READER NOTE

Different IdPs have different names for their SSO application. For example, Microsoft Entra ID calls it an “Enterprise application”, whereas Okta calls it “SAML Integration”.

  1. Click on the Save button at the bottom of the form.

  2. Click on the Save button on the right hand side of the Login Authentication banner.

Managing Existing Login Methods

The table within the Certificate tab displays all of your configured login methods, with columns for Auth Name, Usage, and Auth Parameters.

Usage

Shows the number of users and sites currently using each login method.

Auth

Parameters

Click on the Advanced Settings button to modify a corresponding login method configuration.

Default Login Method

Use the dropdown menu to select the default login method, which will be automatically applied upon meeting certain criteria (refer to the How Login Method is Determined section). The Default Login Method is initially set to General Authentication, which does not involve any IdPs and requires the user to enter their D3 vSOC username and password on the D3 vSOC login page.

Login Authentication - Site Tab

Assigning Login Methods to Sites

Individual Assignment

  1. Select your desired login method in the dropdown menu underneath the Login Method column.

  2. Click on the Save button.

Bulk Assignment

You have the option to select multiple sites individually, or to select them all at once. If no Login Method is selected, the default login method will be applied to all sites.

Individual Site Selection
  1. Use the checkboxes to select your desired sites.

  2. Click on the X Selected button to render the list of login methods.

  3. Choose the login method for all the selected sites.

  4. Click on the Save button.

Universal Site Selection
  1. Click on the Select All button.

  2. Click on the X Selected button to render the list of login methods.

  3. Choose the login method for all the selected sites.

  4. Click on the Save button.

Login Authentication - User Tab

Assigning Login Methods to Users

Individual Assignment

  1. Select your desired login method in the dropdown menu underneath the Login Method column.

READER NOTE

Upon selecting the login method of a user, login using the redirect link provided by your identity provider (ie. “App Embed Link” for Okta, or “User access URL” for Entra ID) will automatically redirect you to your logged in vSOC.

  1. Click on the Save button.

Bulk Assignment

You have the option to select multiple users individually, or to select them all at once. If no Login Method is selected, the default login method will be applied to all users.

Individual User Selection
  1. Use the checkboxes to select your desired sites.

  2. Click on the X Selected button to render the list of login methods.

  3. Choose the login method for all the selected sites.

  4. Click on the Save button.

Universal User Selection
  1. Click on the Select All button.

  2. Click on the X Selected button to render the list of login methods.

  3. Choose the login method for all the selected sites.

  4. Click on the Save button.

How Login Method is Determined

When a user attempts to login, the D3 system follows a particular sequence to determine the appropriate login method. The below diagram illustrates this sequence.

First, the system checks whether the login method is set under the "User" tab.

  • If it is, the system uses the login method set for that user.

  • If the login method is not set under the "User" tab, the system checks how many sites the user attempting to log in belongs to.

If the user belongs to only one site, the system checks whether the login method for the user's site is set under the "Site" tab.

  • If it is, the system uses the login method set for that site.

  • If the login method is not set under the "Site" tab, the system uses the default login method.

If the user belongs to two or more sites, the system checks the status of the user's login preferences. Follow the below steps to select your preferred site.

  1. Click on your D3 profile icon, then click on the My Preferences option.

  1. Click on the Edit button underneath the Login Preferences section.

  2. Click on the dropdown menu, then select your preferred site.

  3. Click on the Save button.

  • If the preferences are set for a particular site, the system checks whether the login method for the user's site is set under the "Site" tab.

  • If the preferences are not set, or are set for "All client sites" or "All internal sites," the system uses the default login method.

FAQ

I am having trouble logging in. How do I configure the usernames for D3 vSOC and my identity provider (Okta, Entra ID, Google, ADFS, etc.) to ensure proper login functionality?

What your D3 username should be is determined by the SAMLEmailIDType configuration key found in Application Settings > Web Config in vSOC. Here are the scenarios:

  • If SAMLEmailIDType is set to True:

    • If the vSOC username is the local part of the email (e.g., "abc" in abc@example.com), you will be able to log in using your entire email address via your identity provider.

    • If the vSOC username is the full email address (including the @ symbol and domain), or any other string, you will be unable to login via your identity provider.

  • If SAMLEmailIDType is set to False:

    • If the vSOC username is an email address, you will be able to log in using your entire email address at the end of the Login to D3 vSOC via your identity provider.

    • If the vSOC username is the local part of the email, you cannot log in via your identity provider.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.