DeepSurface
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
Users on the DeepSurface console can be auto-provisioned using Microsoft Entra ID, leveraging the single sign on configuration that should be set up as documented here.
After you have set up the Microsoft Entra ID SAML application and your existing users can log in with their accounts, do the following:
- Enable your Microsoft Entra ID authentication provider to be the assigned auto-provisioning candidate.

At this point, DeepSurface will allow users to automatically provision into the console, however the users you have assigned to your SAML app in Microsoft Entra ID will only pass their email address as a user name to the console. You will need to add claims to your Entra ID SAML app.
Navigate back to the Azure Portal, and select _Microsoft Entra ID -> Enterprise Applications, click on the SAML application you configured; select Single sign-on and click on the Edit link in the Attributes and Claims section.

The required attributes (claims) are created correctly out of the box, with the small exception that they need to have their 'Name Format' edited to be 'Basic'. Click into each claim and modify the Name Format drop down to be 'Basic'.

Role based access control in DeepSurface requires passing a custom attribute from the Enterprise Application you created in the Azure Portal. To create a custom attribute, refer to the documentation provided by Microsoft. The attribute value must be one of the following: 'admin', 'report_manager', 'report_consumer'. It must map to the 'role' DeepSurface Console application attribute.
Email Address, Given Name, and Family Name will all be appropriately populated in the DeepSurface console when users log in using their 'Entra ID' username and are granted permissions to the SAML application you created in Azure.