DeepSurface: SAML (Okta)

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

DeepSurface can be configured to leverage a third-party identity provider (IdP) to authenticate users when they access the DeepSurface web management console. One option is to use Okta's service as SAML-based IdP. Use the following steps to create a new DeepSurface Authentication Provider configuration to enable this integration.

  1. Create the Authentication Provider record in DeepSurface

    • Navigate to Setup > Authentication > Providers

    • Click the button "+ Authentication Provider" in the top-right of the screen

    • In the pop-up, select "SAML 2.0" in the drop-down

    • Fill in an appropriate label for this authentication provider (such as "Okta")

    • Enter an appropriate value for the domain name of the "ASSERTION CONSUMER SERVICE URL" field. This domain name must match the one users will navigate to when accessing DeepSurface.

    • Click the "copy to clipboard" icon next to the ASSERTION CONSUMER SERVICE URL field to make a copy of this ACS URL. Paste this in a temporary location, such as a text editor, as we'll need this in later steps.

    • Do not enter any values in the METADATA XML at this stage. We'll come back to this in a minute.

    • Save the new authentication provider.

  1. Configure Okta

    • Log in to your Okta portal and navigate to Applications > Applications > Create App Integration

    • Select SAML 2.0 and click Next

    • Enter a friendly name in the App name field, such as "DeepSurface". Select other options as appropriate and click Next.

    • On the Okta screen, enter the ASSERTION CONSUMER SERVICE URL you obtained in step 1 above into both the Single sign on URL and Audience URI (SP Entity ID) fields. Do not modify any other fields, and then click Next.

    Okta

    • On the third Okta screen, answer the feedback questions as appropriate and click Finish.

    • Next, you should arrive at the new application's "Sign On" tab. In this area, find the link for "Identity Provider metadata" and download it. You may need to right click on the link and select "Save link as..." Store this in a file for use in Step 3 below.

    Okta

    • Finally, navigate to the "Assignments" tab within this application. Use the "Assign" dropdown to select users or groups to assign to the application. This will grant those users or groups access to authenticate to DeepSurface within the Okta platform.
  1. Finalize DeepSurface Authentication Provider

    • Return to the Setup > Authentication > Providers area in DeepSurface and edit the provider created in step 1.

    • Upload or paste the XML file into the METADATA XML field, as obtained from Okta in step 2.

    • Save the updated authentication provider record.

  1. Create DeepSurface users associated with the Okta authentication provider

    • In DeepSurface, navigate to Setup > Authentication > Users.

    • For any user who needs to log in via Okta, create a user with exactly the same username they would use with Okta. Be sure to select your newly created authentication provider in the dropdown at the top of the user editing pop-up.

  2. **Optionally, enable Auto-Provisioning

    • If you enable auto-provisioning in DeepSurface, you do not need to create corresponding users in the DeepSurface console, and you can simply assign Okta users to the DeepSurface application you just created. To use Auto-Provisioning, follow the instructions here.
  3. Test Okta-based login

    • To test a DeepSurface user linked with an Okta authentication provider, first log out of DeepSurface.

    • On the login form, enter the username of a user who should be authenticated against Okta, and click Next.

    • You should now be redirected to Okta. Log in with your Okta credentials.

    • After successfully authenticating to Okta, your browser should be redirected back to DeepSurface and you should be automatically logged in to the DeepSurface console.

For more information, consider consulting the following:

Having trouble? Don't hesitate to contact support.