Skip to main content
Skip table of contents

Setting Up SAML 2.0 Single Sign-On (SSO)

LAST UPDATED: MAR 28, 2024

Software Requirements

Ensure your D3 SOAR version is 14.0.385 or higher.

Prerequisites

For the SAML service, you'll need:

  • Assertion Consumer Service URL (Reply URL): This is the SP's (Service Provider) endpoint URL where the IdP (Identity Provider) will send the SAML response after successful authentication. Typically, this is specific to your D3 VSOC/Admin login URL. For example, https://***.com/VSOC/login.aspx.

  • Entity ID: This unique identifier helps the IdP identify the SP. Generally, this is set to the Assertion Consumer Service URL.

For the D3 application, you'll need:

  • SAML Single Sign-On URL: This is the IdP's URL where the authentication requests and SAML responses are exchanged.

  • SAML Certificate: A SAML certificate in base64 format.

Configuring the D3 Application

When you complete the following configuration, here's how the system will behave:

  1. Users attempting to access the D3 application via the URL https://***.com/VSOC will need to input their D3 usernames. Direct access to the D3 application through https://***.com/VSOC/login.aspx is not permitted.

  2. Click 'Next', then proceed to the SAML single sign-on page. Afterward, input the email-password pair to proceed with the login.

  3. After the user is authenticated by the IdP and the SAML response is verified by the D3 application, they will gain access to the D3 application.

  4. Users are restricted from directly accessing the D3 Admin application and should instead navigate through the Advanced Settings within the VSOC application.

  5. If a user remains idle in the D3 application, they will be prompted after 115 minutes. If they fail to respond within 5 minutes, they will be automatically signed out and redirected to the D3 sign-out page. They can return to the application by clicking the "Return to Sign in" button.

  6. To enable complete sign-out for the client, set the LogoutSamlWithVSOC key to true in the appSettings for both VSOC and Admin applications. Also, set the SAMLLogOutUrl to the client's SAML sign-out URL. Following these settings, users will be redirected to the specified URL instead of the D3 sign-out page after being signed out.

Steps to Configure

Step 1 - Configure VSOC App Settings

Open Web.Config for the VSOC app and modify the authentication options and appSettings as shown.

  1. Modify authentication options:

CODE
<authentication mode="Forms">

    <forms loginUrl="D3Saml.aspx?reset=true" name="AuthCookie" timeout="140"

           path="/" requireSSL="false">

    </forms>

</authentication>
CODE
<add key="InactivityExpiry" value="120" />
<add key="TimeBeforeWarning" value="5" />

<add key="enableSAMLLogin" value="true" />
<add key="SAMLLogin" value="Login.aspx" />
<add key="SAMLExchangBaseUrl" value="" />
<add key="SAMLExchangeTargetUrl" value="login.aspx" />
<add key="SAMLLogOutUrl"
     value="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0" />
<add key="logoutSamlWithVSOC" value="false" />
<add key="SAML2.0" value="true" />
<add key="SAML2.0LogFolder" value="Log\SAML" />
<add key="SAML2.0Conigfile" value="SAML20\SAML.xml" />
  1. Then, modify the appSettings to confirm the sessionState options.

CODE
<sessionState mode="InProc" cookieless="false" timeout="300" />

READER NOTE

  • Set the value of forms.timeout to appSettings.InactivityExpiry + 20.

  • Ensure that the value of appSettings.SAMLExchangBaseUrl is set to an empty string.

  • Only set appSettings.logoutSamlWithVSOC to true if the client has provided a value for appSettings.SAMLLogOutUrl.

Step 2 - Configure Admin App Settings

Open Web.Config for the Admin app and modify the authentication options and appSettings as shown.

  1. Modify the authentication options:

CODE
<authentication mode="Forms">

    <forms name="MYWEBAPP.ASPXAUTH" loginUrl="login.aspx?RE=true" 

           timeout="140" path="/" requireSSL="false">

    </forms>

</authentication>
  1. Modify appSettings:

CODE
<add key="Session.TimeOut" value="130" />

<add key="enableSAMLLogin" value="true" />

<add key="SAMLLogin" value="Login.aspx" />

<add key="SAMLExchangBaseUrl" value="" />

<add key="SAMLExchangeTargetUrl" value="login.aspx" />

<add key="SAMLLogOutUrl"

     value="https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0" />

<add key="logoutSamlWithVSOC" value="false" />

<add key="SAML2.0" value="true" />

<add key="SAML2.0LogFolder" value="Log\SAML" />

<add key="SAML2.0Conigfile" value="SAML20\SAML.xml" />
  1. Then, confirm the sessionState options.

CODE
<sessionState mode="InProc" cookieless="false" timeout="300" />

READER NOTE

  • Set the value of appSettings.Session.Timeout to VSOC.appSettings.InactivityExpiry + 10

  • Ensure that the value of appSettings.SAMLExchangBaseUrl is set to an empty string.

  • Set the value of forms.timout to VSOC.appSettings.InactivityExpiry + 20.

Step 3 - Configure Application Pool

Verify the application pool settings and ensure VSOC and Admin applications use the same application pool.

  1. Confirm the application pool settings:

CODE
(General)
  Enable 32-Bit Applications: False
Process Model:
  Idle Time-out (minutes): 140
Recycling:
  Generate Recycle Event Log Entry:
    Application Pool Configuration Changes: True
    Isapi Reported Unhealthy:               True
    Manual Recycle:                         True
    Private Memory Limit Exceeded:          True
    Regular Time Interval:                  True
    Request Limit Exceeded:                 True
    Specific Time:                          True
    Virtual Memory Limit Exceeded:          True
  Regular Time Interval (minutes): 0
  Specific Times: (None)
  1. Configure VSOC and Admin applications to use the same application pool.

READER NOTE

Set the value of Idle Time-out to VSOC.appSettings.InactivityExpiry + 20

Step 4 - Configure SAML 2.0

You will need to adjust the configuration file, located at: <VSOC or Admin app path>\SAML20\SAML.xml.

assertionConsumerServiceUrl

The Assertion Consumer Service URL provided by the Service Provider (SP) where the Identity Provider (IdP) sends the SAML assertions after successful authentication. Must be set to D3 VSOC/Admin login URL.

target_url

SAML single sign-on URL. The IdP URL where the authentication requests and SAML responses are exchanged.

Cert

SAML certificate in base64 format.

EmailIDType

If the user name used to authenticate with the IdP is in email format but the user name in D3 is not in email format, set the value for EmailIDType to true.

Decompress

Set to true if the SAML response is compressed by the IdP.

Below is a sample SAML.xml for reference:

XML
<?xml version="1.0" encoding="utf-8" ?>

<root>

  <key name="assertionConsumerServiceUrl">

    <value>https://xxx.com/VSOC/Login.aspx</value>

  </key>

  <key name="issuer"><value>D3_VSOC</value></key>

  <key name="SignatureVerifyAll"><value>true</value></key>

  <key name="ReadSamlResponse"><value>false</value></key>

  <key name="IncludeSAMLRequest"><value>false</value></key>

  <key name="Decompress"><value>false</value></key>

  <key name="UrlDecode"><value>false</value></key>

  <key name="CompressMod"><value>2</value></key>

  <key name="WriteLog"><value>true</value></key>

  <key name="EmailIDType"><value>false</value></key>

  <key name="AssertionMustHaveSignature"><value>true</value></key>

  <key name="showResponseErrorMessage"><value>true</value></key>

  <key name="target_url">

    <value>https://launcher.myapps.microsoft.com/api/signin/xxx?tenantId=xxx</value>

  </key>

  <key name="Cert"><value>-----BEGIN CERTIFICATE-----

YIIC8DCCAdigAwIBAgIQUOGJN89ghLhHw1jGrlIUxjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQD

EylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzA2MTkyMDI5

NDBaFw0yNjA2MTkyMDI4MzdaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQg

U1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA36pTH0TzUJDv

o5Lz0Wlj00r96ObMbhCt3S1aTJHiOdvV9M9jUEmP2V20ufZ5tQUbUPugAAhcIzBsZaEHpzb/fuAw

Uz5X9YZYGOVLk6NN0peyHIrJSOyvCUAYsh4seaY8oAa3056ckRi4OuioFOddKBkzeIVzTr62tIVC

5uybzkS30EMo1U2A6IYMANgL5aZtNLsyaGyepXsAOs286WIz9DTHWEH9EoEKVmyTYtYCmT+D4L9g

g0ntUMkE2H7s8CnZtllusib3fQsTQnLqN4a1AYCPxPuFEPqXAcBv52YKeCeuUTtTxPOTAiB0Mz9p

v0MylAtrTsmfkhrJkKPv9oISHQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQANZ2gIQa7SroxXw0A6

uB3TwYyG94PjnX4EecjIzX6cU4RJjqFyG+Ch0DekQSgVC3uziAk9egDVftRUU1fKfi/PSUETeC1B

yD9JM1u0/MPsNibKpNfedsrHDdFfThOuvV4LrhmRLLHN1aV0DgvS8qbi/RgFnx0qdSAOCouYc/40

rw/poAYNlmiVW/nFlFIsHRTeyEFF1kjA0B1CFKR/r1fTUsRQs+OqUILxwMn6MG+hdBwWCFbninw/

bxlnIyPgzeIxZmiMvgbJKaCfVTXOZL62OWV0byVJZ98p7OUGsMCykipAk1uisfZoCY2nQYtxDEA4

7sCF1ospSxGRsjTQ9Mwz

-----END CERTIFICATE-----</value>

  </key>

  <key name="SamlResponse"><value></value></key>

</root>

Appendix

SAML 2.0 Protocol for Azure AD

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.