DeepSurface: SAML (Google)

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

DeepSurface can be configured to leverage a third-party identity provider (IdP) to authenticate users when they access the DeepSurface web management console. One option is to use Google's service as SAML-based IdP that is available with a G Suite subscription. Use the following steps to create a new DeepSurface Authentication Provider configuration to enable this integration.

  1. Create the Authentication Provider record in DeepSurface

    • Navigate to Setup > Authentication > Providers

    • Click the button "+ Authentication Provider" in the top-right of the screen

    • In the pop-up, select "SAML 2.0" in the drop-down

    • Fill in an appropriate label for this authentication provider (such as "Google")

    • Enter an appropriate value for the domain name of the "ASSERTION CONSUMER SERVICE URL" field. This domain name must match the one users will navigate to when accessing DeepSurface.

    • Click the "copy to clipboard" icon next to the ASSERTION CONSUMER SERVICE URL field to make a copy of this ACS URL. Paste this in a temporary location, such as a text editor, as we'll need this in later steps.

    • Do not enter any values in the METADATA XML at this stage. We'll come back to this in a minute.

    • Save the new authentication provider.

  1. Configure Google

    • Log in to G Suite's admin interface and navigate to Apps > Overview > Web and mobile apps.

    • Click the "Add App" dropdown and select "Add custom SAML app".

    • Enter a friendly name in the App name field, such as "DeepSurface". Select other options as appropriate and click Next.

    • Next, click the "Download Metadata" button and save this file for use in Step 3 below.

    • On the Google screen, enter the ASSERTION CONSUMER SERVICE URL you obtained in step 1 above into both the ACS URL and Entity ID fields. Do not modify any other fields, and then click Next.

    Google

    • On the fourth Google screen, you may click Finish without any other changes.

    • Next, you should arrive at a summary screen for your newly created SAML app. Click on the "User access" tile to grant users access to the DeepSurface application in Google. You may either enable the app for everyone, or use the panel on the left side to search for specific Google Groups or users and grant access to those groups and users selectively. Save your selections when completed.

    Google

    Google

  2. Finalize DeepSurface Authentication Provider

    • Return to the Setup > Authentication > Providers area in DeepSurface and edit the provider created in step 1l

    • Upload or paste the XML file into the METADATA XML field, as obtained from Google in step 2.

    • Save the updated authentication provider record.

  1. Create DeepSurface users associated with the Google authentication provider

    • In DeepSurface, navigate to Setup > Authentication > Users.

    • For any user who needs to log in via Google, create a user with exactly the same username they would use with Google. Be sure to select your newly created authentication provider in the dropdown at the top of the user editing pop-up.

  2. **Optionally, enable Auto-Provisioning

    • If you enable auto-provisioning in DeepSurface, you do not need to create corresponding users in the DeepSurface console, and you can simply assign Google users to the DeepSurface application you just created. To use Auto-Provisioning, follow the instructions here.
  3. Test Google-based login

    • To test a DeepSurface user linked with an Google authentication provider, first log out of DeepSurface.

    • On the login form, enter the username of a user who should be authenticated against Google, and click Next.

    • You should now be redirected to Google. Log in with your Google credentials.

    • After successfully authenticating to Google, your browser should be redirected back to DeepSurface and you should be automatically logged in to the DeepSurface console.

For more information, consider consulting the following:

Having trouble? Don't hesitate to contact support.