Configuring SAML authentication

You can configure IBM® QRadar® to use the Security Assertion Markup Language (SAML) 2.0 single sign-on framework for user authentication and authorization.

1. On the Admin tab, click Authentication.
2. Click Authentication Module Settings.
3. From the Authentication Module list, select SAML 2.0.
4. In the Identity Provider Configuration section, click Select Metadata File, browse to the XML metadata file that was created by your Identity Provider, and then click Open.
5. In the Service Provider Configuration section, type the Entity ID URL.
6. Select a NameID format:
   • Unspecified (default)
   • Persistent
   • Email Address
   • X509 Certificate Subject Name
   • Windows Domain Name
   • Kerberos
   Tip: Use Unspecified unless your Identity Provider does not support it.
7. Select the Request Binding Protocol:
   • HTTP-POST
   • HTTP-Redirect
8. Select Yes for Request Signed Assertion, unless the device you are connecting to does not support signed assertions.
   Warning: Selecting No leads to unauthenticated communication with the SAML device and is not recommended, because it allows an unauthenticated network-based attacker to access protected resources.
9. If you want the assertion returned by the Identity Provider to be encrypted using a QRadar certificate, select Yes for Request Encrypted Assertion.
   Important: Enabling encryption requires Installing unrestricted SDK JCE policy files. If you are running QRadar 7.4.3 Fix Pack 5 or later, do not install these files.
10. If you want to sign the authentication request by using a QRadar certificate, select Yes for Sign Authentication Request.
11. If you want to automatically log users out of the Identity Provider when they log out of QRadar, select Yes for Enable Service Provider Initiated Single Logout.
    Tip: This option is available only if supported by your Identity Provider.
12. Use one of the following methods to configure a certificate for signing and decrypting:

    Option	Description
    Use the provided QRadar_SAML certificate	Use the links in the tooltip to download the Root CA, Root CA CRL, Intermediate CA, and Intermediate CA CRL files of the certificate, which should be uploaded to the trusted certificate store of the Identity Provider server.
    Add a new certificate	Click Add and follow the instructions in this topic to add a custom certificate: Importing a new certificate for signing and decrypting
    Renew or update an existing certificate	Click Renew to renew the QRadar_SAML certificate if it has expired or expires soon. Click Update to update a custom certificate that has expired or expires soon. These options appear based on which certificate you are using.

13. Select one of the following methods to authorize users:

    Option	Description
    Local	You must create local QRadar users and configure their roles and security profiles in User Manager.
    User Attributes	QRadar uses the attributes provided in SAML assertions to create local users automatically upon authentication requests. Roles and security profiles are assigned according to the value of the role attribute and the security profile attribute. These attributes must be provided in the assertions, and the roles and security profiles must exist in QRadar. Usernames, user roles, and security profiles are case-sensitive. Note: When using a role with Admin capabilities, the value of the security profile attribute must be Admin. Tip: In a multi-tenancy environment, you must configure the Tenant attribute as well to assign users to tenants. If the tenant attribute is not provided, the user that is created is not assigned to any tenant.

14. Click Save Authentication Module.
    The QRadar SAML metadata file is automatically downloaded.
15. On the Admin tab, click Deploy Changes.