TABLE OF CONTENTS


Introduction

Aqua supports SAML 2.0 login. To enable SAML, Aqua Support will request some information from you. We will then enable SAML for a single user within your account so that no one loses access, allow you to test the configuration end-to-end, and then enable it for all your users.


Procedure


Step 1: Create a SAML application

To begin enabling SAML, you must first create a new application for Aqua in your SAML provider. This differs by the provider, but most providers will require the following information:


US environment (cloud.aquasec.com)

Application Callback URLhttps://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Allowed Callback URLshttps://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Audience (aka Entity/Issuer ID)urn:amazon:cognito:sp:us-east-1_voZ9dTvpW
Required AssertionsEmailAddress
Identity Claimhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Required Attributes
NameValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{User's email address}
Sign-in / Sign-out URLhttps://cloud.aquasec.com/sso


ASIA-1 environment (asia-1.cloud.aquasec.com)

Application Callback URLhttps://auth-sg-prod.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse 
Allowed Callback URLshttps://auth-sg-prod.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse 
Audience (aka Entity/Issuer ID)urn:amazon:cognito:sp:ap-southeast-1_7AUN22FiF
Required AssertionsEmailAddress
Identity Claimhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Required Attributes
NameValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{User's email address}
Sign-in / Sign-out URLhttps://asia-1.cloud.aquasec.com/sso


EU-1 environment (eu-1.cloud.aquasec.com)

Application Callback URLhttps://auth-eu-prod.auth.eu-central-1.amazoncognito.com/saml2/idpresponse
Allowed Callback URLshttps://auth-eu-prod.auth.eu-central-1.amazoncognito.com/saml2/idpresponse
Audience (aka Entity/Issuer ID)urn:amazon:cognito:sp:eu-central-1_RAierVJ6g
Required AssertionsEmailAddress
Identity Claimhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Required Attributes
NameValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{User's email address}
Sign-in / Sign-out URLhttps://eu-1.cloud.aquasec.com/sso


ASIA-2 environment (asia-2.cloud.aquasec.com)

Application Callback URLhttps://auth-kr-prod.auth.ap-northeast-2.amazoncognito.com/saml2/idpresponse
Allowed Callback URLshttps://auth-kr-prod.auth.ap-northeast-2.amazoncognito.com/saml2/idpresponse
Audience (AKA Entity/Issuer ID)urn:amazon:cognito:sp:ap-northeast-2_n4Oo1PAlV
Required AssertionsEmailAddress
Identity Claimhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Required Attributes
NameValue
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{User's email address}
Sign-in / Sign-out URLhttps://asia-2.cloud.aquasec.com/sso


Some providers have some custom options and settings you may need to configure differently. Please see the following guides:
- SAML Setup with JumpCloud
- SAML Setup with Azure Active Directory


After you have created your SAML application, you will need to provide your application information to Aqua Support. This can either be in the form of an exported XML metadata file, or a link to an XML metadata endpoint. You can validate your XML file using an online SAML XML validator, such as this one.


Step 3: Initiate the SAML setup

Once you have collected the above information and configured your application, please contact Aqua Support and provide the following information:

  1. Your XML file or XML metadata endpoint
  2. The domains you would like to allow to authenticate with your account. Aqua can support an unlimited number of domains.
  3. Whether you would like to enforce SAML login for all users in your account (if yes, existing usernames/passwords will no longer work and SAML will be enforced for all new and existing users)
  4. Whether you would like to enable just-in-time provisioning of user accounts (if yes, new users will be added to the "Default" groups).
  5. Which user (email address) you would like to use to test the configuration before enabling it globally


Step 4: Test the SAML setup

Once Aqua Support confirms receipt of the above, we will enable SAML for your account, but only apply it to the user you specify. This is done to prevent incorrect SAML configurations from locking out all other users in your account.


Aqua Support will then ask you to confirm the workflow by testing a SAML sign-in. If everything succeeds, we will then enable it for all other users.


Step 5: Next steps

  1. Aqua supports several advanced SAML features you may wish to enable; refer to Advanced SSO Features.
  2. Share the new SAML sign-in link with your users: https://cloud.aquasec.com/sso 


Step 6: Customize the user session timeout (optional)

The default session timeout is 1 hour. Aqua can customize the session timeout for your users at the account level to between 30 minutes and 6 hours.


To modify the session timeout value, please contact Aqua Support.