logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Integrate App Control with an IdP

App Control: How to Integrate App Control with an IdP

Environment

  • App Control Console: All Supported Versions

Objective

To add App Control as a Service Provider in an existing Identity Provider (IdP) via SAML Integration.

Resolution

Prerequisites:
  • An account with an Identity Provider (IdP) whose login and logout locations have a binding of type HTTP-redirect.
  • App Control will need to first be added as a Service Provider in the Identity Provider (IdP).
  • Mapping requires specification of an email address from the IdP using one of the following attributes:
    • NameID of type: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • An attribute with the name EmailAddress (capitalized as shown)
  • A Carbon Black App Control login account matching the value of NameID or EmailAddress for each IdP User must exist in the Console.
  • Best practices if using both Active Directory and SAML integration can be found here.

Add App Control To An Existing Identity Provider (IdP):
  1. Log in to the IdP and add a new Service Provider.
  2. When prompted, provide the FQDN of the App Control Server (System Configuration > General > Sever Address) to the IdP.
  3. Determine which attribute to map to IdP Accounts:
    • Note: App Control supports only one of these attributes, not both.
    • If using NameID:
      • Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      • Provide the NameID Attribute that identifies Email Addresses in the IdP.
    • If using EmailAddress: (Capitalized as shown)
      • If you provide EmailAddress it is always used for mapping, even when there is no matching Console account.
  4. Log in to the Console and navigate to System Configuration > SAML Login > Service Provider.
  5. Choose either XML or Manual, depending on the IdP requirements.
  6. Follow the instructions of the IdP for importing the XML or providing the values manually.
  7. Download the XML Metadata provided by the IdP for the new Service Provider (App Control).
  8. Verify the XML provided by the IdP matches the requirements for App Control.

Add The IdP to App Control:
  1. Log in to the App Control Console and navigate to System Configuration > SAML Login > Identity Provider > Add Identity Provider.
    • Identity Provider Name: This is the name that will appear on the App Control Login page.
    • Identity Provider XML: This is the XML Metadata acquired in Step 7 of the Service Provider setup above.
  2. Paste or upload the IdP XML.
  3. Click Save. 

Additional Notes

  • Only the NameID or the EmailAddress should be passed from the IdP to App Control in the assertion, not both.
  • If the Carbon Black App Control login account has not been created, or does not match the value of NameID or EmailAddress, following or similar message is reported in the Server.Log file:
LoginUser: SAML login: Email address did not exist: test.user@servername.com

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎01-15-2021
Views:
869
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.