Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Configure OCI Identity and Access Management as a SSO Source for the Rapid7 Command Platform

Introduction

Oracle Cloud Infrastructure (OCI) is Oracle’s cloud computing platform that offers a comprehensive set of cloud services, including computing, storage, networking, databases, and identity management. OCI is designed for both traditional applications and newer cloud-native workloads, providing scalability, security, and performance at various service levels. OCI also supports a robust identity and access management (IAM) system that includes features like SAML to enable single sign-on (SSO) for enhanced security and user convenience. OCI’s SAML-based identity federation allows enterprises to integrate with external identity providers, streamlining user access across various OCI resources.

Rapid7 is a leading provider of cybersecurity solutions, focusing on threat detection, vulnerability management, and incident response. With tools like InsightIDR and InsightVM, Rapid7 enables organizations to detect and manage vulnerabilities across their infrastructure, including cloud environments. Rapid7’s SAML integration feature simplifies authentication by allowing organizations to connect with identity providers like OCI. This connection empowers users with single sign-on capabilities, improving security by reducing password dependency while also enabling seamless access to Rapid7’s security tools and insights.

This tutorial walks through the tasks to configure Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as a Single Sign-On (SSO) source for the Rapid7 Command Platform using Security Assertion Markup Language (SAML) 2.0. This allows you to use OCI IAM to manage user authentication for Rapid7 Command Platform.

Audience

OCI IAM professionals and Rapid7 administrators.

Objectives

• Integrating OCI with Rapid7 through SAML allows organizations to leverage OCI’s identity management capabilities while ensuring secure access to Rapid7’s security platform. This setup enhances user experience through SSO and supports stronger security practices by centralizing identity management across both platforms. It allows IT and security teams to manage identities effectively, track access, and improve security posture across their cloud and security environments.

Prerequisites

• Administrator access to an OCI tenancy and Rapid7 Command Platform.

Task 1: Configure SSO Settings in Rapid7 Command Platform

In this task, we will configure SSO settings using SAML 2.0 in the Rapid7 Command Platform.

1. To access the SSO Settings, follow the steps:

   1. Go to the Rapid7 Command Platform homepage and click the Administration link.

   2. Click the settings icon.

   3. Click Authentication Settings and SSO Settings.

   

2. Select Other from the Select your Identity Provider (IdP) drop-down menu.

   

   Note: We will upload the IdP certificate later after completing Task 2.

3. Copy Assertion Consumer Service (ACS) URL, Audience (EntityID) and Relay State URLs. Once done, go to Task 2.

   

4. Copy Entity ID and SingleSignOnService URL from the metadata downloaded in Task 2 and use it in Issuer URL and Single Sign-On URL respectively in the Configured Insight Platform section.

   

   

   Note: Format of single sign-on URL is https://idcs-##############.identity.oraclecloud.com/fed/v1/idp/sso.

5. Upload IdP Certificate.

   

6. Setup a Default Access Profile that new users should be assigned. After you set up this default access profile, it will be automatically assigned to all new user accounts created through your OCI IAM. Access for existing user accounts will not be impacted.

   

   

   

7. Enable IdP user group synchronization. Synchronizing OCI IAM groups with the Rapid7 Command Platform allows your OCI IAM to govern Rapid7 Command Platform user group membership. OCI users assigned to IdP groups are automatically assigned to matching user groups in the Rapid7 Command Platform. Users assigned in this way inherit all defined product, role, and data permissions as long as they remain part of the original IdP group.

   

   

8. Click Yes to enable SSO through external IdP.

   

9. Click Download to download SP’s Metadata.

   

10. Extract X509Certificate from it to create a .pem file.

    

Task 2: Create a SAML Application in OCI IAM Identity Domains

We will create a SAML application in the respective OCI IAM Identity Domains. This is necessary to establish a secure communication link between OCI IAM and the Rapid7 Command Platform using the SAML 2.0 protocol for SSO.

1. Log in to the OCI Console, go to Identity & Security and click Domains.

   

2. Select your domain, click Integrated Applications to Add Application, select SAML application and click Launch Workflow.

   

3. Enter the Name, Relay State for your application and click Next.

   

4. In the Configure single sign on section, enter Entity ID , Assertion consumer URL, select Name ID format as Unspecified, Name ID value as Username and upload the Signing certificate downloaded from the Rapid7 console.

   

   Note: Once SSO is configured in Rapid7 Command Platform, then the certificate can be extracted from the downloaded metadata.

5. In the Additional configurations section, select Include signing certificate in signature and deselect Enable single logout. Keep the other parameter as default.

   

   Note: Select or deselect the Enable single logout feature based on your requirement. Enabling the feature will require the SLO URLs to be added in the respective field.

6. Use the following configuration in the Attribute configuration section.

   

   Note: The following attribute statements in the image are mandatory for authentication to the Rapid7 Command Platform.

7. Click Finish and Activate to complete the setup.

8. Download Signing Certificate and Identity Provider Metadata. Once done, go back to Task 1.4 and continue.

   

Task 3: Group Synchronization

Group synchronization allows you to control user group assignment from within OCI IAM.

This capability is made possible by including an attribute in the SAML response labelled rbacGroups that contains the name(s) of Rapid7 Command Platform groups for each user. The users will be automatically assigned to the corresponding groups in the Rapid7 Command Platform and will inherit the product, role, and resource access associated with those groups.

Note: When we enabled Group Sync, IdP users will be removed from any Rapid7 Command Platform groups not included in their SAML assertion. IdP users will retain any roles or permissions assigned directly to them, including those from a default access profile.

To create user groups in Rapid7 Command Platform, navigate to Administration, User Management and click User Groups.

Task 4: Configure User Groups

As group synchronization requires the use of Rapid7 Command Platform user groups, it is important that you have configured groups before activating.

1. Add the group attribute. In OCI IAM, we need to ensure that the users are assigned to groups with the same name as the corresponding Rapid7 Command Platform user group. If you have not already created these groups, follow the steps:

   1. In the OCI Identity Domains Console, navigate to Groups.

   2. Click Create group.

   3. Enter the same Name as the corresponding Rapid7 Command Platform user group.

   4. In the Users section, select the users to assign this group.

   5. Click Create.

   Once your groups are configured, you need to add an attribute to the SAML assertion containing the names of the groups each user is assigned to.

2. Add the attribute to your SAML assertion in OCI IAM Identity Domains.

   1. In the OCI OCI Identity Domains Console, navigate to Integrated applications and select your Rapid7 application.

   2. Click Edit SSO Configuration in the SAML Settings section.

   3. Add the following Attribute Statement and click Save.

   

   All the information we require from your OCI IAM to synchronize users to Rapid7 Command Platform user groups will now be included when users authenticate using SSO.

Task 5: Test the SSO

1. Go to the Rapid7 Insight URL (https://insight.rapid7.com) and click Sign in with SSO.

   

2. Enter the credentials.

   

   You are now successfully logged into the Rapid7 Command Platform.

   

   Also the user gets added to the user groups automatically based on the group membership in OCI IAM.

Acknowledgments

• Authors - Gautam Mishra (Principal Cloud Architect)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Configure OCI Identity and Access Management as a SSO Source for the Rapid7 Command Platform

G18461-01

November 2024

Copyright ©2024,

Oracle and/or its affiliates.