Linking Azure IDP to Chronicle SecOps Platform
In this blog post I provide step by step instructions on how to configure authentication to the Chronicle SecOps platform using Microsoft Azure Identity Platform (IDP).
These instructions can be used for existing Chronicle SIEM customers migrating to BYOID, or for new Chronicle SecOps customers.
It is expected that with the prerequisites in place it will take 30 to 60 minutes to complete the setup. This does not however account for delays that may be a result of organizational requirements, such creating a GCP Project, or enabling a new Cloud service, and such pre-requisites should be reviewed before starting.
Prerequisites Checklist
- If you are a new Google Cloud Platform customer, please contact your GCP account representative before starting this process as pre-configuration steps are required to be made by Google on the SaaS side.
- You have linked a GCP Project to your Chronicle SecOps tenant
- Note, alternatively you can contact your Account team or Partner to assist on this pre-requisite - For the Azure setup stage you will need to be logged into your Azure AD console as a user with permissions to create a new Enterprise Application, and Azure Groups.
- For the Chronicle SecOps setup stage you will need to be logged into your GCP console as a user with permissions to setup Workforce Identity Federation, and set IAM Principals in the GCP Project bound to your Chronicle SecOps tenant.
- You have decided upon a GCP Workforce Identity Federation (WIF) Pool ID and Provider ID. These will be needed to create the ACS and Entity ID URL in the Enterprise Application, and as part of the WIF setup which is performed after the Azure Enterprise Application setup steps.
Microsoft Azure IDP Setup
📝 There are multiple ways to configure Group assertions that will be returned from Azure. The below guidance is just an example, but you can use Security Groups and if doing so be careful to not if you are returning a GUID (Group ID) or a display name (sAMAccountName), and that from observation SAML assertions are case sensitive, i.e,. if your IDP returns the groups assertion in Upper or Lower case be sure to match that in your GCP IAM configuration.
Creating Groups
It is a recommended best practice to use Groups rather than individual User accounts for access management to your Chronicle SecOps tenant. These Groups will be assigned to the Azure Enterprise Application as part of the setup, and used for Feature RBAC authorization in Chronicle SecOps.
Below are the default Roles available in Chronicle SecOps, and suggested Azure AD Group mappings:
| Chronicle SecOps Role | Azure Group (Suggested) |
|-----------------------|-------------------------|
| Chronicle API Admin | chronicle_secops_admin |
| Chronicle API Editor | chronicle_secops_editor |
| Chronicle API Viewer | chronicle_secops_viewer |
Note, group names are created using underscores instead of spaces as otherwise you cannot assign the group in GCP IAM in later steps using the GUI. If you do have Groups with spaces you will have to use the GCP gcloud command line utility instead.
To create Groups within the Azure console navigate to “Groups”
Click “New group”
The “Group type” should be left as “Security”
Under “Group name” enter the group name you want to use.
Note, it is recommended to use underscores rather than spaces.
Optionally add a “Group description”, and “Owners”.
Click “Members” to add members to the group.
Note, at this stage you should add a user to this group who will be able to test and verify the authentication workflow in Chronicle SecOps in later steps.
Click “Create”
Decide upon WIF Pool and Provider ID values
See Configure Chronicle with a third-party identity provider for a detailed explanation of Workforce Identity Federation workings, and prerequisites, but for the scope of these setup instructions the important elements are to decide upon a Pool ID and Provider ID value, as these will be required in order to create your Azure Enterprise Application, and the same values must be used later on during the WIF setup in GCP.
It is recommended to use a naming syntax that matches your Organizational requirements, but for the purpose of these instructions the format of tenanturl-component will be used. Where you see the below placeholder variables in further steps replace as required to match your environment.
WORKFORCE_POOL_ID=thatsiemguy-azure-pool
WORKFORCE_PROVIDER_ID=thatsiemguy-azure-provider
Note, the Pool IP and Provider ID must be consistently applied in both Azure and GCP, and can’t be changed once deployed!
Azure Enterprise Application Setup
In the Azure AD console navigate to Enterprise Applications
Click “+ New Application”
Click “+ Create your own application”
Note, do not select the pre-built Google Cloud Platform application.
Under “What’s the name of your app?” enter the name for your SAML application that will authenticate to your Chronicle SecOps tenant
Select “Integrate any other application you don’t find in the gallery (Non-gallery)”
Click “Create”
From the left hand menu, select “Single sign-on”, or under “Getting Started” click “2. Set up single sign on”
Select “SAML”
Select “1 Basic SAML Configuration”, and click “Edit”
Under “Identifier (Entity ID)” click “Add Identifier”. Enter the Entity ID URL that matches your Chronicle SecOps tenant, e.g:
https://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/providers/<WORKFORCE_PROVIDER_ID>
Under “Replay URL (Assertion Consumer Service URL)” click “Add reply URL”. Enter the ACS URL that matches your Chronicle SecOps tenant, e.g:
https://auth.backstory.chronicle.security/signin-callback/locations/global/workforcePools/<WORKFORCE_POOL_ID>/providers/<WORKFORCE_PROVIDER_ID>
Optionally, under “Sign on URL (Optional)” add the URL of your Chronicle SecOps tenant
Click the “Save” button to save your configuration, and once prompted the settings have been saved close the pop-out window using the cross.
Under bullet point “2 Attributes & Claims”, click “Edit”
Under “Additional claims” left click each entry in the table and perform the following steps to remove the Namespace prefix.
Click into the “Namespace” field and delete the default value. The field should be empty. Click “Save”.
The “Additional claims” fields should now show without the Namespace prefix.
Under “Attributes & Claims” click “+ Add a group claim”
Under “Which groups associated with the user should be returned in the claim?” select “Groups assigned to the application”
Under “Source attribute” select “Cloud-only group display names”
Under “Advanced options”, tick the “Customize the name of the group claim” box, and in the “Name” field type groups
Click “Save”
Close the “Attribute & Claims” page by clicking the cross in the top right corner
Under “Enterprise Applications”, “Single sign-on”, from within the “3 SAML Certificates” section click “Download” under the “Federation Metadata XML”
Assign Users & Groups to the Enterprise Application
Under “Enterprise Applications”, click “Users and groups”
Click “+ Add user/group” to add the Users and Groups who will be Authorized to use this Chronicle SecOps tenant.
Click “Assign”
Creating the Workforce Identity Federation (WIF) Integration for Chronicle SecOps
GCP WIF Setup
Logged in as an Administrator user in the GCP console, click “Menu”, “IAM & Admin”, and “Workforce Identity Federation”
If you see the prompt “Page not viewable for projects. This feature requires an organization” click “SELECT” for your GCP Organization name.
Click “CREATE POOL”
Under “Name” enter a name for your WIF Pool.
Note, this must match that value you specified earlier on when creating your Azure Enterprise Application, and must be less than 32 characters in length.
Optionally, under “Description” enter a description of the Pool, e.g, what it is for, who set it up, and when.
Optionally, under “Session Duration” change the session duration to 12 hours. This will impact how often an authentication refresh occurs when using the Chronicle SecOps user interface.
Leave “Enabled Pool” as on.
Click “Next”
A WIF Pool will be created, which can take several minutes.
Under “Select a provider” choose “SAML”, and click “SUBMIT”
Under “1 Create a pool provider” enter a “Name”
Note, this must match that value you specified earlier on when creating your Azure Enterprise Application, and must be less than 32 characters in length.
Optionally, under “Description” enter a description of the Pool Provider, e.g, what it is for, who set it up, and when.
Upload the Azure Enterprise Application XML file download from the Azure console in a prior step.
Click “Continue”
Under “2 Configure provider”, within the “Attribute Mapping” section, complete as follows:
| Google X (where X is a number) | SAML x (where X is a number) |
|--------------------------------|-------------------------------------------|
| google.subject | assertion.subject |
| google.display_name | assertion.attributes.mail[0] |
| google.groups | assertion.attributes.groups |
| attribute.first_name | assertion.attributes.givenname[0] |
| attribute.last_name | assertion.attributes.surname[0] |
| attribute.user_email | assertion.attributes.emailaddress[0] |
Note, March 24 Update: Thank you to readers who have provided feedback. I’ve updated the the Attribute Mappings as while the original instructions worked for standalone SIEM they were failing for SecOps. I’ve also had feedback around Group configuration too, all of which I think is to summarize as Azure seems quite flexible on the values you can use for assertions and groups, so you may need customize this depending on your Org requirements.
- attribute.user_email | assertion.attributes.mail[0]
+ attribute.user_email | assertion.attributes.emailaddress[0]
- google.display_name | assertion.attributes.userprincipalname[0]
+ google.display_name | assertion.attributes.mail[0]
Use the “ADD MAPPING” button to add new mapping pairs.
Note, the groups and subject entries should not have an ordinal value, e.g., [0], but all other entries should end in [0].
Click “SUBMIT”
The provider will be created and this process will take a few seconds to complete.
The setup for GCP WIF is now complete.
Setup Authorization in GCP IAM
The authorization for which Features or Data a User or Group can access is set by the IAM (Identity & Access Management) Roles configured in the GCP Project bound to your Chronicle SecOps tenant.
| Azure Group (Suggested) | Type | Principal Set |
|-------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------|
| chronicle_secops_admin | Group (Display Name) | principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/group/chronicle_secops_admin |
| chronicle_secops_editor | Group (Display Name) | principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/group/chronicle_secops_editor |
| chronicle_secops_viewer | Group (Display Name) | principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/group/chronicle_secops_viewer |
Note, if you are unsure of how the Group names are returned see the section on performing a SAML trace to verify the correct Group name format.
In your GCP Console navigate to the Menu button, “IAM & Admin”, and “IAM”.
Click “GRANT ACCESS”
Under “Add Principals” paste the Principal Set value for each Group and Role combination.
Note, as soon as you paste text into the GUI field it becomes non-editable, so you need to have the correct principal value before pasting.
Under “Assign roles” click the “Role” field, search for “Chronicle API Admin” and click the result to select it
Click the “Save” button.
Repeat the above process for the remaining Group and roles you wish to assign to your Chronicle SecOps instance, i.e., Editors and Viewers.
Finalize Setup
Once you have completed the above step to create a GCP WIF Pool and Provider, either:
- Proceed to complete the onboarding Wizard as provided to you by your Chronicle account team
- If you have an existing Chronicle SecOps tenant, provide your Chronicle account team or Chronicle Partner the WORKFORCE POOL ID and WORKFORCE PROVIDER ID so they can complete the final part of the setup process.
Verification
To verify the setup is working go to your Chronicle SecOps tenant in a web browser
- Verify you are able to login
- Click “Settings”, “Profile” and view the Group(s) returned by your IDP match as expected
- If you see “No groups assigned” under “IDP Groups” please refer to the Troubleshooting section. This could mean either you have no IDP groups configured, or a configuration issue relating to your IDP groups in Azure or WIF.
Troubleshooting
SAML Tracing
In order to see the SAML Assertion Attributes returned by your IDP to GCP WIF you can use the Inspect tools in your browser. This is useful to verify that the Azure Enterprise SAML Attributes mapped in GCP WIF are as expected. It can also be useful for verifying the format of a response, e.g., you expect an Attribute to be in format X, but its actually returned in format Y.
Manually using Chrome Inspect
This approach is best used when you can’t install a 3rd party Chrome extension, and only use the features included in the browser.
- Open Chrome Inspector by right clicking on an empty part of the web page, and from the menu select “Inspect”
- Click the “Network” tab.
- Make sure the red circle in the top left is Red, i.e., Recording. You can toggle recording on or off by clicking the circle icon, or pressing the Control + E keyboard combination (on Windows or Linux).
- Login to Chronicle SecOps in the same tab.
- In the filter bar type “signin”
- Under the “Payload” tab right click, and click “Copy value”
You will need to extract the Value from the Key “SAMLResponse”. This is easiest performed in a text editor.
SAMLResponse=<base64>%3D&RelayState=
Use a tool like CyberChef to decode the SAML Response using a recipe as follows:
URL_Decode()
From_Base64('A-Za-z0-9+/=',false,false)
XML_Beautify('\\t')
Syntax_highlighter('auto detect')
From the resulting output you can browse to the SAML Assertion XML block, and look to verify the Attribute Name, and Attribute Value.
If you can’t see a signin-handler entry in your Network tab, you can force a new authentication by deleting your local cookie as follows.
Click the “Application” tab, from the left hand panel click “Cookies”, and expand the URL for your Chronicle SecOps tenant.
Find the entry under “Name” for “MALACHITE_SESSION” and delete this.
Refresh your browser and you will re-authenticate.
Summary
If you have feedback, questions, notice any errors, or want to provide feedback on the above please send a message or post a comment.