IdP-Initiated SAML allows users to click a button within the SAML provider's dashboard which will then launch the Aqua application. Aqua does not have native support for IdP-initiated SAML, however, we do have a simple workaround.
TABLE OF CONTENTS
Aqua's SSO sign-in page allows you to pass a connection name that is unique for your company's application. Using this link, you can create a "bookmark" application within your SAML provider. This feature is supported by most provider's including Okta and OneLogin.
When IdP-initiated SAML is performed (and not supported) you may see an error like the below:
This often occurs because the Aqua does not support this type of access. Instead, you need to either use the login direct link (e.g. https://cloud.aquasec.com/sso?connection=your-connection-name) or use the bookmark process described below.
The setup will consist of the following:
- A standard SAML 2.0 application configured using the setup defined here.
- A second, "bookmark" application will send users to the /sso entry point which will kick users back into the first application's SAML flow.
To configure this flow, please follow these steps:
- Create the first application by following the onboarding steps and working with Aqua support.
- Ensure you can log in via the standard SAML page: https://cloud.aquasec.com/sso
- Once you've verified that you can, ask Aqua Support for your unique login link. We will provide a /sso URL with a parameter specific to your organization that will direct your users directly to your SAML provider login without having to type their email addresses.
- Create a new "bookmark" application and paste the provided link.
- When users click the bookmark application from within the provider dashboard, they will be redirected to the custom Aqua/sso endpoint which will then initiate the SAML flow.
- Optionally, you can hide the first application from the provider dashboard so users can only click the bookmark application.
If you have any questions, please contact support.