Configure Single Sign-On

The following workflow describes the tasks to be performed in sequence to configure Single Sign-On authentication on NetWitness.

SSO Prereq 12.4 updated.png

Configure ADFS as IDP for NetWitness

For instructions on how to configure ADFS as IDP for NetWitness, refer to Microsoft documentation.

Configure ADFS for SAML Token Based Authorization

If you want to set up user authentication without depending on Active Directory configuration in NetWitness, configure AD FS to send user group information in SAML token to NetWitness, see Create a Rule to Send Group Membership as a Claim and Create a Rule to Send LDAP Attributes as Claims. NetWitness recommends you select the LDAP attribute and Outgoing Claim Type pair as specified below:

  • LDAP Attribute: Token Groups - Qualified by Long Domain Name.

  • Outgoing Claim Type: Group.

If you choose not to use the recommended LDAP attribute and Outgoing Claim Type pair, the SAML External Group Attribute Name in NetWitness Platform (Go to AdminIcon.png (Admin) > Security > Single Sign-On Settings > SAML External Group Attribute Name) should be the same as the Attribute Name in the SAML token from ADFS.

Note: The details mentioned above are specific to Windows Server ADFS. If you are using the Azure ADFS, you need to update the SAML External Group Attribute Name appropriately.

124_Saml_Token.png

Sign the SAML Response

NetWitness recommends you encrypt and sign the SAML response to successfully complete the SAML token-based authentication. To enable response signing in ADFS, run the following command in powershell,

Set-AdfsRelyingPartyTrust -TargetName <<relying-party-name>> -SamlResponseSignature MessageAndAssertion

Map User Roles to External Groups

Atleast one External Group should be mapped to an administrator role in NetWitness. For instructions on how to map user roles to External Groups, see (Optional) Map User Roles to External Groups.

Enable Single Sign-On

IMPORTANT: NetWitness recommends mapping user roles to external groups (see (Optional) Map User Roles to External Groups) before you enable Single Sign-On. Otherwise, you may encounter problems while configuring and logging in Single Sign-On.

  1. Go to AdminIcon.png (Admin) > Security
    The Security view is displayed with the Users tab open.
  2. Click the Single Sign-On Settings tab.
  3. Select the Enable SSO checkbox.
    124_Saml_Token.png
  4. Select the Auto Import IDP Metadata if you want the latest IDP metadata to be automatically downloaded at regular intervals.
    When you select this check box, a Metadata URL field will be displayed where you must enter the IDP metadata URL.

  5. Select Use proxy checkbox for the requests to IDP tobe routed through the proxy configured in AdminIcon.png (Admin) > System > HTTP Proxy settings.
  6. Select Import IDP Metadata to manually import the meta data and enter the IDP metadata URL.
    Note: Make sure you update the link every time the IDP metadata is updated.
  7. Enter a unique entity ID to identify the NetWitness instance in the Identity Provider.
  8. (Optional) Select the Enable Global Logout checkbox if you want to be logged out of NetWitness along with all the other associated sessions authenticated by IDP.
  9. Select the Enable the SAML Token Based SSO Authorization check box if you want to setup SAML token based SSO without needing to configure Active Directory in NetWitness Platform.

  10. Click Apply.
    This may take some time however we recommend you to restart the admin-server immediately. To export the metadata in an XML format either click the link in the notification tray and download the metadata or click Export Service Provider Metadata .

Note: The exported Service Provider metadata must be imported to IDP. For more information, see the Configure SAML 2.0 provider settings for portals topic in Microsoft documentation.