How To

Summary

This document is an example of how you could go about mapping SAML groups to IBM Security SOAR groups.

Steps

You can map groups in IBM SOAR to groups in your IdP. The benefit is that you can manage the groups in your IdP, which controls the level of access to IBM SOAR that users have and assign roles to each group.

Create the groups within IBM SOAR.

Make sure you have groups within your IdP (ADFS in this case) and that they must match the name and the case.

Within AD create groups that match the groups in IBM SOAR, including the case.

New groups within AD

Here are the basic rule mappings to support givenname, emailaddress and surname.

These rules provide the following SAML response.

  <AttributeStatement>  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">  <AttributeValue>Shaun.Roberts@domain.com</AttributeValue>  </Attribute>  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">  <AttributeValue>Shaun</AttributeValue>  </Attribute>  <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">  <AttributeValue>Roberts</AttributeValue>  </Attribute>  </AttributeStatement>

Adding groups

Adding groups involves adding to the claim rule. Depending on your requirements, it might be as simple as adding a new line to your existing claim rules.

Here are example instructions that may not fulfill all use cases or requirements. These steps worked well with a particular version of Active Directory but the configuration required for a particular set of requirements might need different values. Liaise with the team that supports your IdP for assistance.

memberOf

Add a new line

ls-Member-Of-DL - memberOf (you need to enter this value manually)

When a user in the AD group ResilientMasterAdmins logs in the group passed in the SAML response is the groups full DN, which is not recognized in IBM Resilient based on the name of the groups created in previous screen captures.

  <Attribute Name="memberOf">  <AttributeValue>CN=ResilientMasterAdmins,OU=groups,DC=domain,DC=com</AttributeValue>  </Attribute>

This error is seen in client.log due to the difference in what is sent in the SAML response and the name of the group in IBM SOAR.

14:57:38.685 [http-bio-443-exec-42] INFO com.co3.saml.SAMLAuthentication - SAML assertion indicated the user is in group CN=ResilientMasterAdmins,OU=groups,DC=domain,DC=com, but that group does not exist in Resilient so it will be ignored

Group

Using "Group" also passes out the full DN with a slightly different Attribute Name compared to memberOf.

  <Attribute Name="http://schemas.xmlsoap.org/claims/Group">  <AttributeValue>CN=ResilientMasterAdmins,OU=groups,DC=domain,DC=com</AttributeValue>  </Attribute>

Use full DN

You can change the group name to match the full DN.

When the SAML response sends the full DN, it matches with the group name and the user is given the access defined by the group.

Use short group name

If you do not want to change the group names in IBM SOAR to match the full DN from AD, then you can create custom filters to remove parts of the DN to leave the short version of the group name.

You need to delete the row you added to the claim rule where you added i.e. ls-Member-Of-DL.

You need to create a custom filter as detailed in --> https://social.technet.microsoft.com/wiki/contents/articles/16161.ad-fs-2-0-using-regex-in-the-claims-rule-language.aspx

Here are example steps that worked on a particular version of Active Directory, your mileage might vary. If you are struggling to get this right, then get assistance from the team that supports your IdP. IBM support cannot provide you with assistance as to how to configure your IdP.

"AD.domain.com" has been used in all examples. This value needs to match that of your AD instance. Liaise with the team that supports AD/IdP for assistance.

Phase 1

  c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]  => add(store = "Active Directory", types = ("http://AD.domain.com/phase1"), query = ";memberOf;{0}", param = c.Value);

Phase 2

  c:[Type == "http://AD.domain.com/phase1"]  => add(Type = "http://AD.domain.com/phase2", Value = RegExReplace(c.Value, ",[^\n]*", ""));

Phase 3

  c:[Type == "http://AD.domain.com/phase2"]  => issue(Type = "group", Value = RegExReplace(c.Value, "^CN=", ""));

It looks like this

Now the following is seen and this fits within the confines of IBM SOAR and the group is read in OK.

  <Attribute Name="group">  <AttributeValue>ResilientMasterAdmins</AttributeValue>  </Attribute>

You can use memberOf instead of group in the three phases.

Please be aware of case sensitivity and that this only works the first time a user is created in SOAR using SAML. This means subsequent log ins will not add the user to the mapped groups if they were removed from them previously.

Troubleshooting

IBM support cannot provide assistance with creating the rules in Active Directory or other IdP's. To troubleshoot problems further see the links in the document.

Related Information

SAML troubleshooting

SAML Mappings

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001h4dAAA","label":"Authentication-\u003ESAML"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"44.0.0;51.0.0"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001h4dAAA","label":"Authentication-\u003ESAML"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

QRadar SOAR: Mapping SAML groups to IBM Security SOAR groups