Document toolboxDocument toolbox

User roles and SSO

Owned by Former user (Deleted)
Aug 02, 2023
5 min read
[ 1 User roles ] [ 2 Role permissions ] [ 3 Role management ] [ 4 Single Sign On (SSO) ] [ 5 SSO Configuration ] [ 6 SSO User management ] [ 7 Check SSO login ]

User roles

From EA 1.3.0 (fleet 4.0) the user role feature has been added with three permission levels to make it easier to manage who can access features and carry out actions in the EA Manager.

Role permissions

The table below shows the actions that each role can perform in the EA Manager:

Action

Observer

Maintainer

Admin

Action

Observer

Maintainer

Admin

Browse all hosts

✓

✓

✓

Filter hosts using labels

✓

✓

✓

Browse all policies

✓

✓

✓

Filter hosts using policies

✓

✓

✓

Target hosts using labels

✓

✓

✓

Run saved queries as live queries against all hosts

✓

✓

✓

Run custom queries as live queries against all hosts

 

✓

✓

Enroll hosts

 

✓

✓

Delete hosts

 

✓

✓

Create saved queries

 

✓

✓

Edit saved queries

 

✓

✓

Delete saved queries

 

✓

✓

Schedule queries for all hosts

 

✓

✓

Create packs

 

✓

✓

Edit packs

 

✓

✓

Delete packs

 

✓

✓

Create labels

 

✓

✓

Edit labels

 

✓

✓

Delete labels

 

✓

✓

Add policies for all hosts

 

✓

✓

Remove policies for all hosts

 

✓

✓

Create users

 

 

✓

Edit users

 

 

✓

Delete users

 

 

✓

Edit own user information

✓

✓

✓

Edit organization settings

 

 

✓

Create enroll secrets

 

✓

✓

Edit enroll secrets

 

✓

✓

Edit agent options

 

 

✓

Role management

Add role to user

Roles are assigned at the user creation and observer is the default role.

  1. From the EA Manager web UI, go to the User Management screen.

  2. Click on Create User.

  3. Fill the fields with the new user information and a Role bar appears for you to select the new user role.

  4. Once everything is filled, click on Create to finish the process and save the new user.

Modify user role

If you need to change a role after creating the user:

  1. From the EA Manager web UI, go to the User Management screen as shown above.

  2. Search for the user you want to modify and click on Actions → Edit.

  3. You can change the user’s name/alias and the role, just select the desired one and save the changes.

Single Sign On (SSO)

From EA 1.3.0 (fleet 4.0) SAML Single Sign On (SSO) capability is also supported.

Both SP-initiated SAML login and IDP-initiated login are supported, however IDP-initiated login must be enabled in the web interface's SAML single sign on options. It also supports SAML Web Browser SSO Profile using the HTTP Redirect Binding.

SSO Configuration

To enable SSO you need to modify the EA Manager configuration with an admin user.

  1. From the EA Manager web UI, go to the Settings screen.

  2. Search for SAML single sign on options in the left panel and fill the fields with your IDP information.
    If the IDP supports dynamic configuration, Identity provider name, Entity ID and Metadata URL/Metadata are mandatory. If not, Issuer URL is needed too.
    Metadata information can be provided by copying the IDP metadata in the Metadata field or providing it by URL in the Metadata URL field. Only one is needed.

  3. Scroll down until the Update settings button and click on it to save the changes.

A sample configuration with Okta as IdP

  • Step 1: in Okta, configure single sign-on URL with /api/v1/fleet/sso/callback at the back of the actual EA Manager URL. Example https://eam.xxx.xxx.xxx:8080/api/v1/fleet/sso/callback. Note down the Entity ID here fleet.

  • Step 2: in EA Manager web UI, fill in Okta as provider name and fleet as Entity ID, specify either Metadata or Metadata URL retrieved from Okta side.

  • Step 3: create user in EA Manager UI as shown in the section below with email address, and check the Enable Single Sign On option.

  • Step 4: navigate to EA Manager UI on port 8080, and click on Sign On with Okta.

SSO User management

Once SAML SSO options are configured, you can add your login user.

User creation

  1. From the EA Manager web UI, go to the User Management screen as shown above.

  2. Click on Create User as shown above.

  3. Fill the Full Name and the email fields taking into count that email must match with the one used in the SAML Assertion.
    Click on the Enable single sign on checkbox and select the desired role.

  4. Click on Create to save the changes.

The email used in the SAML Assertion must match a user that already exists in Fleet.

Adding existing user

  1. From the EA Manager web UI, go to the User Management screen as shown above.

  2. Search for the user you want to modify and click on Actions → Edit as shown above.

  3. Search for the Enable single sign on checkbox and click on it and save the changes.

The email used in the SAML Assertion must match a user that already exists in Fleet.

Check SSO login

With your SAML SSO configured and the users created, you can just sign out and check that you have the SSO login button on the login screen.

It appears with an icon if you have added an image in the IDP image URL field.

 

Â