Exium SAML2 SSO Integration

Exium SAML2 SSO Integration

Exium’s Intelligent Cybersecurity Mesh provides secure access to distributed workforce and IoT devices, protecting businesses from malware, ransomware, phishing, denial of service, and botnet infections in one easy to use cloud service.

Exium supports different SAML integrations for SSO Authentications of users to login and use Exium Service.

  • Azure AD
  • Okta
  • Google
  • JumpCloud
  • PingIdentity
  • Duo

If any organisation has any other IDP which is not listed above can use Exium Generic SAML Integration as explained in this user guide.

SAML2 Exium integration handles users seamless access to Exium. Administrators can easily attach Exium security policy groups to SAML2 based IDP users. Unique features of this integration are

  • Simple steps to integrate SAML2 API with Exium
  • Push New Users from SAML2 IDP to Exium
  • Push User Deactivation from SAML2 IDP to Exium
  • Reactivate Users from SAML2 IDP to Exium
  • Single sign-on from SAML2 IDP to sign-on to Exium

This note explains how to configure SAML2 Exium application settings and Exium Workspace settings so that SAML2 based IDP Users can be synced with Exium Workspace in real time and SSO from SAML2 based IDP can be used to sign-on to Exium Service.

Following steps elaborate SAML2 API Integration with Exium

1. Select Generic SAML as Sign-in Option on Exium

To change Generic SAML as Sign-in option, Click on Settings tab on Admin Console on Exium partner portal as shown below.

 

Click on Profile tab in Profile page and copy Workspace name or ID as shown below. This is required for few IDPs to configure some unique key as SSO IDP Entity ID and IDP URL in next steps.

Click on Sign-in tab in Profile page and select Generic SAML. Copy SAML 2.0 SSO URL and SAML 2.0 SP Entity ID one after other to paste in SAML based IDP Exium app as explained in next step.

 

 

2. Create Exium app on SAML based IDP

In your SAML based IDP account, you can create Exium application by creating custom SAML app with required configuration settings. Following is the reference screenshots from JumpCloud. Actual app creation may vary based on SAML2 based IDP.

 

 

2.1 Add SSO Service Provider (SP) Details

Paste SP Entity ID (SAML 2.0 SP Entity ID on Exium Portal) and ACS URL (SAML 2.0 SSO URL on Exium Portal from Exium Portal(copied on step 1) in Custom Exium App created in console of SAML2 based IDP console. Also optionally you may need to enter Workspace name or ID (copied on step1) as IdP Entity ID.

Following is the reference screenshots from JumpCloud for entering SP Details. Actual entering of details may vary based on SAML2 based IDP.

2.2 Add Attribute Mapping (Optional, depends on IDP)

If SAML2 based IDP provides option to enter attributes section, click on add attribute, enter firstname under Service Provider Attribute Name and select First Name from drop down under Attribute Names.

Click on add attribute, enter lastname under Service Provider Attribute Name and select Last Name from drop down under Attribute Names.

After all details are entered as shown below, click on save or activate.

Following is the reference screenshots from JumpCloud for entering attribute mapping. Actual attribute mapping may vary based on SAML2 based IDP.

 

2.3 Download Identity Provider (IdP) Metadata

Some IDPs provide option to download to IdP Metadata XML file and some IDPs provide IdP Metadata as URL. Exium supports IDP Metadata as Content or as URL. Based on your IDP, you can copy either IdP Metadata URL or download XML Content.

Following is the reference screenshots from JumpCloud for downloading Metadata file. Actual IDP Metadata URL copy or download of Metadata file may vary based on SAML2 based IDP.

 

3. Update Metadata XML on Exium Portal

As a next step, Sign-in option on Exium Portal has to be saved by filling-in SAML 2.0 IDP Metadata XML Content/URL. As explained in step 2.3, If the IDP provides Metadata URL, you can paste the RL or if the IDP Provides download of Metadata file, you can copy the contents and paste. Finally click Save.

 

 

4. Assigning User Groups/Users on IDP

As a next step, you can assign user groups to Exium app on SAML2 based IDP. This can be done whenever you wish to add more users or groups to Exium app.

Following is the reference screenshots from JumpCloud for Adding User groups. Actual assignment may vary based on SAML2 based IDP.

 

 

 

5. Verify SSO on Exium Agent

To Verify successful SSO Integration you can download Exium agent received in welcome mail and Copy Workspace name as shown below.

 

After Exium agent is successful installed, enter Workspace name (copied from welcome mail) and Click on Continue as shown below.

 

Since this workspace is integrated with SAML2 based IDP, Exium agent opens a browser window for SAML2 based IDP SSO authentication. On Successful SSO authentication, User gets logged in to Exium and can connect to Exium.

6. Verify SSO on Exium Service URL

If you are part of admin group, you can access admin console through SSO. you can press your workspace name on service portal by entering the workspace name. Browser opens one more tab for SAML2 authentication. (Note: Some browsers block popups. You need to allow the popup to allow one more tab to be opened to take SAML2 authentication).

 

After successful authentication, it’ll show the message that “User is successfully Verified.” You can close the tab, then you’ll be in admin console in the original tab where you have entered workspace name. If the SSO verified user is not part of admin user, it gives an error that you don’t have access.

7. Check Users on Exium 

All the users assigned to Exium app are synced through SAML to Exium service when they login to service. On Exium Admin Console, Click on Users box. Under Users page, you will see all the assigned users (with associated groups) are synced from SAML2 based IDP to Exium.

If you have any issue during integration, contact us at support@exium.net or raise a ticket on https://exium.net/help-center/

If you would like to see how Exium can help defend your organisation, contact us at hello@exium.net