TABLE OF CONTENTS


Introduction

Aqua offers single sign-on using SAML. This document outlines the recommended process to set up Aqua SAML IdP-initiated SSO with Okta. The setup process consists of the following steps, which are described in depth below:

  1. Create a new SAML application
  2. Create a Bookmark App
  3. Use the provided settings to generate an XML file or metadata endpoint
  4. Provide that file or endpoint to Aqua upport
  5. Assign Users/Groups to the App and Bookmark App
  6. Aqua will enable SAML
  7. Users will be directed to sign in via our /sso login page


Create a new SAML application


Settings

The login mechanism OKTA uses IdP-Initiated SAML from its App Home. While we do not support it natively, we have an easy and workable solution for you using the following URL:

https://cloud.aquasec.com/sso?connection=YOURACCOUNTNAME

This URL will trigger the SAML flow immediately, without users having to enter their email address.


In addition, Okta requires that the full URL of the emailaddress SAML claim be set to: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress


With your existing SAML-compatible provider, create a new web application with the following endpoints and audience settings.


Application NameAqua App
Application TypeWeb
SSO URLhttps://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Application Callback URLhttps://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Allowed Callback URLshttps://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse
Audienceurn:amazon:cognito:sp:us-east-1_voZ9dTvpW
Required Attributesemail

Assertion/Claim*

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress



Procedure


1. Create a New App.



2. Name the App and hide it.  



3. Configure the App.



4. Complete the setup.



5. Export the Metadata.


 

Create a Bookmark App


1. In the Applications page, click Add and type "Bookmark App" in the search box.



2. Enter Aquasec as the name of the app and the URL: https://cloud.aquasec.com/sso?connection=YOURACCOUNTNAME


Do not hide the Bookmark app. Leave both Application Visibility boxes unchecked, as shown in the screenshot.



3. To help users identify the Bookmark App, you can add the Aqua logo and description of that app to the Bookmark app.


4. After assigning the app, the screen shown below will be displayed. Move the cursor to the position indicated by the red arrow. An edit button with a pencil icon appears. Click this icon to open the logo edit screen.



5. The Edit Logo window opens. Change the logo to https://aquasec.com/img/logo-medium.png to make it clear to the end users which app is opened.

  

 

6. After creating the application, you will need to provide Aqua with either an XML metadata file or a link to an XML metadata endpoint. Aqua will then complete the integration setup. Existing users do not need to be re-created or re-invited.

 

After creating the application, reply to your original SAML Support request with either an XML metadata file or a link to an XML metadata endpoint. Aqua will then complete the integration setup. Existing users do not need to be re-created or re-invited.


Assign users/groups

Make sure you assign users and/or groups to both the App and the Bookmark App to grant Aqua access to your users.


User login to Aqua (optional)

1. After creating a new application, users who sign in via the Aqua SSO page will be redirected to your login provider: https://cloud.aquasec.com/sso

2. After entering an email address, users will be redirected to the appropriate SAML application.


Support

If you have any questions, please contact Aqua Support. We will be happy to assist you during the process via email, phone, or screen share.