DeepSurface: SAML (Azure Active Directory)

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

DeepSurface can be configured to leverage a third-party identity provider (IdP) to authenticate users when they access the DeepSurface web management console. One option is to use Microsoft's Azure Active Directory as SAML-based IdP that is available with an Azure subscription. Use the following steps to create a new DeepSurface Authentication Provider configuration to enable this integration.

  1. Create the Authentication Provider record in DeepSurface

    • Navigate to Setup > Authentication > Providers

    • Click the button "+ Authentication Provider" in the top-right of the screen

    • In the pop-up, select "SAML 2.0" in the drop-down

    • Fill in an appropriate label for this authentication provider (such as "Azure AD")

    • Enter an appropriate value for the domain name of the "ASSERTION CONSUMER SERVICE URL" field. This domain name must match the one users will navigate to when accessing DeepSurface.

    • Click the "copy to clipboard" icon next to the ASSERTION CONSUMER SERVICE URL field to make a copy of this ACS URL. Paste this in a temporary location, such as a text editor, as we'll need this in later steps.

    • Do not enter any values in the METADATA XML at this stage. We'll come back to this in a minute.

    • Save the new authentication provider.

  1. Configure Azure AD

    • Log in to Azure Portal and navigate to Microsoft Entra ID from the Azure services menu.

    • Click on the Enterprise Applications in the left hand menu and click on the "+ New application button".

    AZURE AD

    • It might be easiest to use a template to setup your first application, to do so, enter "SAML toolkit" into the search bar and click on the "Microsoft Entra SAML Toolkit" application and give it a friendly name such as "DeepSurface".

    AZURE AD

    • Enter a friendly name in the App name field, such as "DeepSurface". Select other options as appropriate and click Next.

    • Once the app is created and you are on the app's setup screen, click on the "Single Sign On" menu item on the left.

    AZURE AD

    • You will see several panes, the first one to focus on is the "Basic SAML Configuration" pane, click the "Edit" icon in the top left of this pane to edit the details

    • In the edit form, enter the ASSERTION CONSUMER SERVICE URL you obtained in step 1 above into the Identifier (Entitiy ID) and Reply URL (Assertion Consumer Service URL), and the Sign on URL fields. These fields are required. Do not modify any other fields.

    AZURE AD

    • Next, in the "SAML Signing Certificate" pane, locate the "Federation Metadata XML" download button and save that for use in step 3 below.

    AZURE AD

    • To add users to this application click on the "Users and Groups" in the left menu and click the "+ Add User/Group" Button to add users

    AZURE AD

    • Click on the "None Selected" to bring up a list of all of your AD users and select whichever ones you want to add to this application.

    AZURE AD

  2. Finalize DeepSurface Authentication Provider

    • Return to the Setup > Authentication > Providers area in DeepSurface and edit the provider created in step 1l

    • Upload or paste the XML file into the METADATA XML field, as obtained from Azure AD in step 2.

    • Save the updated authentication provider record.

  1. Create DeepSurface users associated with the Azure AD authentication provider

    • In DeepSurface, navigate to Setup > Authentication > Users.

    • For any user who needs to log in via Azure AD, create a user with exactly the same username they would use with Azure AD. Be sure to select your newly created authentication provider in the dropdown at the top of the user editing pop-up.

  1. Test Azure-based login

    • To test a DeepSurface user linked with an Azure AD authentication provider, first log out of DeepSurface.

    • On the login form, enter the username of a user who should be authenticated against Azure AD, and click Next.

    • You should now be redirected to Azure AD. Log in with your Azure AD credentials.

    • After successfully authenticating to Azure AD, your browser should be redirected back to DeepSurface and you should be automatically logged in to the DeepSurface console.

For more information, consider consulting the following:

Having trouble? Don't hesitate to contact support.