Linking Azure IDP to Chronicle SecOps Platform

11 min readNov 4, 2023

In this blog post I provide step by step instructions on how to configure authentication to the Chronicle SecOps platform using Microsoft Azure Identity Platform (IDP).

These instructions can be used for existing Chronicle SIEM customers migrating to BYOID, or for new Chronicle SecOps customers.

It is expected that with the prerequisites in place it will take 30 to 60 minutes to complete the setup. This does not however account for delays that may be a result of organizational requirements, such creating a GCP Project, or enabling a new Cloud service, and such pre-requisites should be reviewed before starting.

The high level steps to integrate Azure IDP with Chronicle SecOps

Prerequisites Checklist

If you are a new Google Cloud Platform customer, please contact your GCP account representative before starting this process as pre-configuration steps are required to be made by Google on the SaaS side.
You have linked a GCP Project to your Chronicle SecOps tenant
- Note, alternatively you can contact your Account team or Partner to assist on this pre-requisite
For the Azure setup stage you will need to be logged into your Azure AD console as a user with permissions to create a new Enterprise Application, and Azure Groups.
For the Chronicle SecOps setup stage you will need to be logged into your GCP console as a user with permissions to setup Workforce Identity Federation, and set IAM Principals in the GCP Project bound to your Chronicle SecOps tenant.
You have decided upon a GCP Workforce Identity Federation (WIF) Pool ID and Provider ID. These will be needed to create the ACS and Entity ID URL in the Enterprise Application, and as part of the WIF setup which is performed after the Azure Enterprise Application setup steps.

Microsoft Azure IDP Setup

📝 There are multiple ways to configure Group assertions that will be returned from Azure. The below guidance is just an example, but you can use Security Groups and if doing so be careful to not if you are returning a GUID (Group ID) or a display name (sAMAccountName), and that from observation SAML assertions are case sensitive, i.e,. if your IDP returns the groups assertion in Upper or Lower case be sure to match that in your GCP IAM configuration.

Creating Groups

It is a recommended best practice to use Groups rather than individual User accounts for access management to your Chronicle SecOps tenant. These Groups will be assigned to the Azure Enterprise Application as part of the setup, and used for Feature RBAC authorization in Chronicle SecOps.

Below are the default Roles available in Chronicle SecOps, and suggested Azure AD Group mappings:

| Chronicle SecOps Role | Azure Group (Suggested) |
|-----------------------|-------------------------|
| Chronicle API Admin   | chronicle_secops_admin  |
| Chronicle API Editor  | chronicle_secops_editor |
| Chronicle API Viewer  | chronicle_secops_viewer |

Note, group names are created using underscores instead of spaces as otherwise you cannot assign the group in GCP IAM in later steps using the GUI. If you do have Groups with spaces you will have to use the GCP gcloud command line utility instead.

To create Groups within the Azure console navigate to “Groups”

Click “New group”

The “Group type” should be left as “Security”

Under “Group name” enter the group name you want to use.

Note, it is recommended to use underscores rather than spaces.

Optionally add a “Group description”, and “Owners”.

Click “Members” to add members to the group.

Note, at this stage you should add a user to this group who will be able to test and verify the authentication workflow in Chronicle SecOps in later steps.

Click “Create”

Creating a Group in Azure for use in Chronicle SecOps

Decide upon WIF Pool and Provider ID values

See Configure Chronicle with a third-party identity provider for a detailed explanation of Workforce Identity Federation workings, and prerequisites, but for the scope of these setup instructions the important elements are to decide upon a Pool ID and Provider ID value, as these will be required in order to create your Azure Enterprise Application, and the same values must be used later on during the WIF setup in GCP.

It is recommended to use a naming syntax that matches your Organizational requirements, but for the purpose of these instructions the format of tenanturl-component will be used. Where you see the below placeholder variables in further steps replace as required to match your environment.

WORKFORCE_POOL_ID=thatsiemguy-azure-pool
WORKFORCE_PROVIDER_ID=thatsiemguy-azure-provider

Note, the Pool IP and Provider ID must be consistently applied in both Azure and GCP, and can’t be changed once deployed!

Azure Enterprise Application Setup

In the Azure AD console navigate to Enterprise Applications

Click “+ New Application”

Click “+ Create your own application”

Note, do not select the pre-built Google Cloud Platform application.

Under “What’s the name of your app?” enter the name for your SAML application that will authenticate to your Chronicle SecOps tenant

Select “Integrate any other application you don’t find in the gallery (Non-gallery)”

Click “Create”

Creating a new Enterprise Application in Azure for use with Chronicle SecOps

From the left hand menu, select “Single sign-on”, or under “Getting Started” click “2. Set up single sign on”

Setting up Single sign-on in your new Enterprise Application

Select “SAML”

Configure SAML in your new Enterprise Application

Select “1 Basic SAML Configuration”, and click “Edit”

Editing the basic SAML configuration in your new Enterprise Application

Under “Identifier (Entity ID)” click “Add Identifier”. Enter the Entity ID URL that matches your Chronicle SecOps tenant, e.g:

https://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/providers/<WORKFORCE_PROVIDER_ID>

Under “Replay URL (Assertion Consumer Service URL)” click “Add reply URL”. Enter the ACS URL that matches your Chronicle SecOps tenant, e.g:

https://auth.backstory.chronicle.security/signin-callback/locations/global/workforcePools/<WORKFORCE_POOL_ID>/providers/<WORKFORCE_PROVIDER_ID>

Optionally, under “Sign on URL (Optional)” add the URL of your Chronicle SecOps tenant

Click the “Save” button to save your configuration, and once prompted the settings have been saved close the pop-out window using the cross.

Under bullet point “2 Attributes & Claims”, click “Edit”

Under “Additional claims” left click each entry in the table and perform the following steps to remove the Namespace prefix.

Removing the default Namespace value in the Additional claims

Click into the “Namespace” field and delete the default value. The field should be empty. Click “Save”.

The “Additional claims” fields should now show without the Namespace prefix.

How the Additional claims should look once you have removed the default Namespace

Under “Attributes & Claims” click “+ Add a group claim”

Under “Which groups associated with the user should be returned in the claim?” select “Groups assigned to the application”

Under “Source attribute” select “Cloud-only group display names”

Under “Advanced options”, tick the “Customize the name of the group claim” box, and in the “Name” field type groups

Click “Save”

Close the “Attribute & Claims” page by clicking the cross in the top right corner

Under “Enterprise Applications”, “Single sign-on”, from within the “3 SAML Certificates” section click “Download” under the “Federation Metadata XML”

Downloading the XML file from your Enterprise Application

Assign Users & Groups to the Enterprise Application

Under “Enterprise Applications”, click “Users and groups”

Click “+ Add user/group” to add the Users and Groups who will be Authorized to use this Chronicle SecOps tenant.

Click “Assign”

Adding Users & Groups to your Enterprise Application

Creating the Workforce Identity Federation (WIF) Integration for Chronicle SecOps

GCP WIF Setup

Logged in as an Administrator user in the GCP console, click “Menu”, “IAM & Admin”, and “Workforce Identity Federation”

If you see the prompt “Page not viewable for projects. This feature requires an organization” click “SELECT” for your GCP Organization name.

Click “CREATE POOL”

Under “Name” enter a name for your WIF Pool.

Note, this must match that value you specified earlier on when creating your Azure Enterprise Application, and must be less than 32 characters in length.

Optionally, under “Description” enter a description of the Pool, e.g, what it is for, who set it up, and when.

Optionally, under “Session Duration” change the session duration to 12 hours. This will impact how often an authentication refresh occurs when using the Chronicle SecOps user interface.

Leave “Enabled Pool” as on.

Click “Next”

A WIF Pool will be created, which can take several minutes.

Under “Select a provider” choose “SAML”, and click “SUBMIT”

Under “1 Create a pool provider” enter a “Name”

Note, this must match that value you specified earlier on when creating your Azure Enterprise Application, and must be less than 32 characters in length.

Optionally, under “Description” enter a description of the Pool Provider, e.g, what it is for, who set it up, and when.

Upload the Azure Enterprise Application XML file download from the Azure console in a prior step.

Click “Continue”

Under “2 Configure provider”, within the “Attribute Mapping” section, complete as follows:

| Google X (where X is a number) | SAML x (where X is a number)              |
|--------------------------------|-------------------------------------------|
| google.subject                 | assertion.subject                         |
| google.display_name            | assertion.attributes.mail[0]              |
| google.groups                  | assertion.attributes.groups               |
| attribute.first_name           | assertion.attributes.givenname[0]         |
| attribute.last_name            | assertion.attributes.surname[0]           |
| attribute.user_email           | assertion.attributes.emailaddress[0]              |

Note, March 24 Update: Thank you to readers who have provided feedback. I’ve updated the the Attribute Mappings as while the original instructions worked for standalone SIEM they were failing for SecOps. I’ve also had feedback around Group configuration too, all of which I think is to summarize as Azure seems quite flexible on the values you can use for assertions and groups, so you may need customize this depending on your Org requirements.

- attribute.user_email | assertion.attributes.mail[0]
+ attribute.user_email | assertion.attributes.emailaddress[0]

- google.display_name | assertion.attributes.userprincipalname[0]
+ google.display_name | assertion.attributes.mail[0]

Use the “ADD MAPPING” button to add new mapping pairs.

Note, the groups and subject entries should not have an ordinal value, e.g., [0], but all other entries should end in [0].

Click “SUBMIT”

Configuring the SAML Attribute mapping in the WIF Pool Provider

The provider will be created and this process will take a few seconds to complete.

The setup for GCP WIF is now complete.

Setup Authorization in GCP IAM

The authorization for which Features or Data a User or Group can access is set by the IAM (Identity & Access Management) Roles configured in the GCP Project bound to your Chronicle SecOps tenant.

| Azure Group (Suggested) | Type                 | Principal Set                                                                                                       |
|-------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------|
| chronicle_secops_admin  | Group (Display Name) | principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/group/chronicle_secops_admin  |
| chronicle_secops_editor | Group (Display Name) | principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/group/chronicle_secops_editor |
| chronicle_secops_viewer | Group (Display Name) | principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/group/chronicle_secops_viewer |

Note, if you are unsure of how the Group names are returned see the section on performing a SAML trace to verify the correct Group name format.

In your GCP Console navigate to the Menu button, “IAM & Admin”, and “IAM”.

Click “GRANT ACCESS”

Granting access to principals in GCP IAM

Under “Add Principals” paste the Principal Set value for each Group and Role combination.

Note, as soon as you paste text into the GUI field it becomes non-editable, so you need to have the correct principal value before pasting.

Under “Assign roles” click the “Role” field, search for “Chronicle API Admin” and click the result to select it

Click the “Save” button.

Assigning a role to a principal in GCP IAM

Repeat the above process for the remaining Group and roles you wish to assign to your Chronicle SecOps instance, i.e., Editors and Viewers.

Finalize Setup

Once you have completed the above step to create a GCP WIF Pool and Provider, either:

Proceed to complete the onboarding Wizard as provided to you by your Chronicle account team
If you have an existing Chronicle SecOps tenant, provide your Chronicle account team or Chronicle Partner the WORKFORCE POOL ID and WORKFORCE PROVIDER ID so they can complete the final part of the setup process.

Verification

To verify the setup is working go to your Chronicle SecOps tenant in a web browser

Verify you are able to login
Click “Settings”, “Profile” and view the Group(s) returned by your IDP match as expected
If you see “No groups assigned” under “IDP Groups” please refer to the Troubleshooting section. This could mean either you have no IDP groups configured, or a configuration issue relating to your IDP groups in Azure or WIF.

An example of where no IDP groups are returned into Chronicle SecOps

Troubleshooting

SAML Tracing

In order to see the SAML Assertion Attributes returned by your IDP to GCP WIF you can use the Inspect tools in your browser. This is useful to verify that the Azure Enterprise SAML Attributes mapped in GCP WIF are as expected. It can also be useful for verifying the format of a response, e.g., you expect an Attribute to be in format X, but its actually returned in format Y.

Manually using Chrome Inspect

This approach is best used when you can’t install a 3rd party Chrome extension, and only use the features included in the browser.

Open Chrome Inspector by right clicking on an empty part of the web page, and from the menu select “Inspect”
Click the “Network” tab.
Make sure the red circle in the top left is Red, i.e., Recording. You can toggle recording on or off by clicking the circle icon, or pressing the Control + E keyboard combination (on Windows or Linux).
Login to Chronicle SecOps in the same tab.
In the filter bar type “signin”
Under the “Payload” tab right click, and click “Copy value”

How to capture the SAML assertion returned by your IDP to GCP WIF

You will need to extract the Value from the Key “SAMLResponse”. This is easiest performed in a text editor.

SAMLResponse=<base64>%3D&RelayState=

Use a tool like CyberChef to decode the SAML Response using a recipe as follows:

URL_Decode()
From_Base64('A-Za-z0-9+/=',false,false)
XML_Beautify('\\t')
Syntax_highlighter('auto detect')

From the resulting output you can browse to the SAML Assertion XML block, and look to verify the Attribute Name, and Attribute Value.

Example of verifying the SAML Attributes returned from your IDP to GCP WIF

If you can’t see a signin-handler entry in your Network tab, you can force a new authentication by deleting your local cookie as follows.

Click the “Application” tab, from the left hand panel click “Cookies”, and expand the URL for your Chronicle SecOps tenant.

Find the entry under “Name” for “MALACHITE_SESSION” and delete this.

Refresh your browser and you will re-authenticate.

How to clear your session cookie and force a re-authentication in Chrome Inspect

Summary

If you have feedback, questions, notice any errors, or want to provide feedback on the above please send a message or post a comment.