Integrate SAML IdP with Xshield

You can integrate multiple Security Assertion Markup Language (SAML) Identity Provider (IdPs) with an Xshield instance. Some of the SAML IdPs you can integrate with Xshield are Azure AD and JumpCloud. The user identities fetched from the IdPs are added to the existing Xaccess user directory for the instance.

To follow best practices and harden user authentication on the user assets, use IdP-native features such as Multi-Factor Authentication (MFA).

Prerequisites

  1. Add the ColorTokens ZTNA app for the Azure tenant and set up SAML Single Sign-On (SSO) for the app. For other IdPs, you must set up SAML SSO on the IdP.

  2. Download the federation metadata XML for the Azure tenant or the SAML IdP.

Integrate Azure AD

You can integrate multiple Azure tenants with an Xshield instance.

  1. Upload the federation metadata XML downloaded from the Azure tenant.

  2. Map the ColorTokens-defined user attributes with the user attributes for Azure AD. For example, First Name to givenname, and Group to Azure AD group name added for Group claim in Azure AD

    You can map up to four attributes.

  3. (Optional) To fetch user identities from the Azure AD tenant quickly, copy the Base URL and Bearer Token values and add them in the IdPs' native configuration. This fully enables SCIM-based provisioning for relevant Xaccess users.

  4. Click Save.

Integrate other SAML IdPs

You can add multiple third-party SAML IdPs with an Xshield instance.

  1. Click Export ColorTokens Metadata to download the federation XML file for the instance. 

  2. Set up SAML SSO on the IdP. For an example, see JumpCloud documentation.

  3. The other steps to integrate other SAML-based IdPs are similar to those to integrate Azure AD.

Successful IdP integration

Upon successful integration with the IdP, you will :

  • See the integrated IdP on the Onboard Users page.

  • See the Security groups and Departments (or their equivalents in the IdP) fetched from the IdP on the Users, Groups, & Departments > Groups page.

  • See the users fetched from the AD on the Users, Groups, & Departments > Users page. With SCIM-based provisioning enabled, you should see users sooner. Otherwise, you will see the users only after they log into the Xaccess private network for the first time.

Failed IdP integration

IdP integration with the instance cannot be completed if the federation XMLs are incorrect or corrupted or if the ColorTokens ZTNA app (SAML SSO configuration for other IdPs) is misconfigured.

Disable IdP integration

Deleting an IdP integration from the Xaccess > Onboard Users page disables the integration with the instance. To completely disable the integration, you may also need to disable the integration in the IdP.

  • Select the AD and click Delete in the fly panel.

User-identities data from the deleted IdP may still be seen in some reports and widgets in Xshield for up to 30 days.

Next steps

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.