Skip to main content

BlastShield Documentation

Configure Okta as an external identity provider and use your SSO for user authentication

In this configuration, users and user groups will be provisioned by the identity provider and the user authentication will use the identity provider's SSO.

BlastShield™ is SCIM 2.0 enabled and supports integration with identity providers such as Okta, Azure AD and One Identity.  SCIM support allows user accounts to be automatically created in BlastShield™ when new user accounts are assigned to the SCIM application in the IdP.   User account status and their information are automatically updated in BlastShield™ based on updates in the IdP.   BlastShield supports OIDC (OpenID Connect) to authenticate the SSO of the IdP for the user registration with the Orchestrator.  

Pre-requisites

  1. Your Orchestrator must have an SSO portal hostname configured for your network. Please contact support@blastwave.com to get one configured.

  2. You must have administrative read/write access to the BlastShield™ Orchestrator and to the Okta configuration portal.

  3. Users must have the BlastShield™ Desktop Client installed on their workstation. You can download it from here: Client download links

Client Connectivity Requirements

  1. Outbound UDP ports to all required destinations.

  2. If you use DNS over HTTPS, ensure it is configured in your OS and not in your browser to allow the BlastShield Client to use its associated DNS server.

  3. Resolution of DNS requests must be supported by the network.

  4. Ensure that the timezone is correctly set on your computer for your location and that the clock is set accurately.

  5. Orchestrator access requires IPv6 support in the OS of the host running the desktop client, so make sure there is no Windows group policy disabling IPv6 in the registry.

Summary

  1. Set up OpenID Authentication.

  2. Configure the SCIM Provisioning.

  3. Connect the BlastShield™ network.

Set up OpenID Authentication

  1. Find your Okta domain and copy it. To find your Okta URL (also called an Okta domain), sign in to your Okta organization with your administrator account, and look for the Okta domain in the global header located in the upper-right corner of the dashboard.

  2. Open the BlastShield™ Orchestrator and from the settings menu on the left, go to the “Identity Provider” settings page..

    1. Click on the Enable External Identity Provider checkbox.

      enable_external_identity_provider.png

    2. Under USER AUTHENTICATION METHOD, select the option for SSO Credentials.

      user-authentication-method-SSO.png

    3. In the OpenID configuration section, enter your Okta tenant domain (i.e mycorporation.okta.com) as the “Domain”. Make sure to leave out any trailing slashes.

      Enter_your_Okta_tenant_domain.png

  3. In Okta, click “Create App Integration” and select “OIDC - OpenID Connect” followed by “Web Application” and click “Next”.

    Mike-select_OIDC_-_OpenID_Connect_followed_by_Web_Application.png

    1. Name the App integration “BlastShield OIDC”.

    2. Find the "Redirect URI" from the OpenID configuration in the BlastShield™ Orchestrator. This is in the format https://<your-domain>.blastshield.app/api/signin-authorized and is located as shown here:

      Mike-Copy_the_redirect_URI_from_the_Orchestrator.png

    3. Copy the “Redirect URI” from the BlastShield™ Orchestrator and paste it in as the “Sign-in redirect URI” in Okta. Remove any default “Sign-out redirect URIs”.

      Mike-Copy_the_Redirect_URI_from_the_BlastShield_Orchestrator_and_paste_it.png

  4. Under “Assignments” select your preferred option and click “Save”.

  5. Copy the “Client ID” and the generated “Client Secret” from Okta and paste it into the corresponding text fields in BlastShield.

    Mike-Copy_the_Client_ID_and_the_generated_Client_Secret-1.png
    Mike-__Copy__the___Client___ID___and___the___generated__Client___Secret-__2-_release1-_7-SSO.png

  6. Click “Back to Applications”.

Configure the SCIM Provisioning

  1. In Okta, click “Create App Integration” and select “SWA - Secure Web Authentication” and click “Next”.

    Mike-Create_App_Integration_and_select_SWA.png

  2. Enter BlastShield SCIMas the “App name” and copy the “SSO TENANT > SSO Tenant URL” from the BlastShield Orchestrator and enter it as the “App’s login page URL” in Okta and click “Finish”.

    Mike-Enter_BlastShield_SCIM_as_the_App_name_and_copy_the_Sign-in_URL-SSO-auth.png

  3. Click on the “General” tab and select “Edit” in the “App settings” box. Select “Enable SCIM provisioning” and click “Save”.

    Mike-Enable_SCIM_provisioning.png

  4. Click on the “Provisioning” tab and select “Edit” next to “SCIM Connection”.

    1. Copy the “SCIM Endpoint” from BlastShield and enter it as the “SCIM connector base URL” in Okta.

    2. Enter userName as the “Unique identifier field for users”.

    3. Under “Supported provisioning actions”, check “Push New Users”, “Push Profile Updates” and “Push Groups”.

    4. Select “HTTP Header” as the “Authentication Mode”.

    5. In BlastShield, click the “Generate Token” button and copy the token to the clipboard. Click “Save Changes” before going back to Okta.

    6. Paste the copied token into “Authorization” field and click on “Test Connector Configuration”.

      Mike-scim-connector-base-url.png

  5. Make sure that the test results show “Connector configured successfully”, then click “Save”.

    Mike-test-connector-configuration.png

  6. Click “Edit” next to “Provisioning to App” and enable “Create Users”, “Update User Attributes” and “Deactivate Users”, then click “Save”.

    Mike-provsioning-to-app.png

  7. Click on the “Assignments” tab and assign the users and/or groups that you want to give access to your BlastShield Network.

    Mike-assign-to-groups.png

  8. Optionally click on the “Push Groups” tab and push the groups that you want to import into BlastShield.

    Mike-push-groups-1.png
    Mike-push-groups-2.png

Note

When this configuration is completed, users and groups which are assigned to the BlastShield™ application in Okta will be automatically provisioned into the BlastShield™ Orchestrator, and will be available to use in BlastShield™ policies. It is not possible to modify the provisioned groups from the Orchestrator, but you can add a provisioned user to Blastshield™ created groups.

Connect to BlastShield™ using the Desktop Client

To learn how to register a new user, please follow the link: Remote User Access using an SSO for user authentication

In this section: