Identity Providers

Overview

SecureCloud supports SSO single signon using identity providers Microsoft Azure Active Directory and Okta. A user can log in to SecureCloud using their SSO credentials only after all the appropriate settings have been made in both the identity provider and SecureCloud.

What Can I See Here?

The page is split into two tabs:

  • Groups - Groups that have been created in the identity provider that contain the users you allow to log in to SecureCloud. Groups can be added only after you have entered valid credentials under the Configuration tab.
  • Configuration - the credentials needed by SecureCloud to access your identity provider.

Initially, the Groups tab is empty and the Configuration tab appears without credentials.

Once the credential settings have been configured they will be displayed on the screen and can be changed or deleted as required.

Prerequisites

Set up your identity provider. One of the following:

  1. Log into your Microsoft Azure account.

  2. Create a new app registration with the following properties:

    • App registration name = SecureCloud
    • Redirect URI = https://securecloud.tufin.io/auth/realms/<Account>/broker/azure-ad/endpoint, where <Account> is your account name
  3. Add a new client secret to the SecureCloud app registration.

  4. Make sure that the SecureCloud app registration has the API permission 'User.Read'. This might be added automatically when creating the app registration, but if not, add it manually.

  5. Add a token configuration groups claim to the SecureCloud app registration, specifying type security groups.

  1. In Okta, create a new application integration:

    • Sign on method: OpenID Connect

    • Platform: Web

    • Redirect URI = https://securecloud.tufin.io/auth/realms/<ACCOUNT>/broker/okta/endpoint

      where <ACCOUNT> is your SecureCloud account name.

  2. Enable groups claim for the application.

You will need the application ID and secret when configuring SecureCloud, together with each group's object ID.

What Can I Do Here?

Specify Credentials

  1. Select the Configuration tab.

  2. Click on Edit. The credentials window appears.

  3. If you want to clear credentials that have already been entered, click .

  4. Select your identity provider - Active Directory or Okta.

  5. Enter the appropriate values from your identity provider:

    • Tenant ID - Directory (tenant) ID
    • Application ID - Application (client) ID from your identity provider
    • Application Secret - Client secret value from your identity provider

  6. Click Connect. If the connection succeeds, the credentials will be saved.

Add a Group

  1. Make sure you have provided the correct credentials in the Configuration tab.

  2. Select the Groups tab.

  3. Click Add Group. The Add Group window appears.

  4. Enter the appropriate information to identify the group:

    • Group Name - for your own convenience, used only in SecureCloud

    • Group ID - The object ID of the required group from your identity provider

  5. Assign a role. One of the following:

    • Global Admin - unlimited access to all SecureCloud functions

    • Global Viewer - view-only access to all SecureCloud functions

    • Cloud Account Viewer - view-only access to all or selected public cloud accounts

    If role Cloud Account Viewer is selected, you must specify at least one account to which access is granted or specify All accounts.

    Additional roles can be added - click Add another role.

  6. Click Add. The group will be added to the list.

  7. Repeat if required for additional groups.

Edit/Remove a Group

  1. Click then select Edit group/Remove group.

How Do I Get Here?

Main Menu > Configuration > Identity Providers