4.53 SAML Security Updates
More details and required actions following the 4.53 Security Updates
Main Changes
This release includes several important security enhancements and security vulnerabilities fixes related to SAML integration:
-
Enforcing strict authorization for information passed within the SAML assertion group attribute expression: any user with missing or incorrect (non existing) assignment of an Environment name or Role, or using an empty expression will be denied access to the system.
We will provide a backwards compatibility mode for an interim period (until November 2020 release). To enable this mode, see instructions below. Since using this mode is less secure, you will need to request our Support team to enable this for your domain when using SaaS, or apply it specifically in your backend configuration when using an On-Premises deployment. -
Added an option to restrict the SAML group attribute name to a single attribute name. This will be an optional property (until November 2020 release), and will be restricted to a default attribute name ("overops-groups") or a given name after this period. See instructions below on how to set it.
-
Added a new property to allow to set the default access role for authenticated users. This role is used if using the simplified SSO mode, or when using SAML Groups attribute with backwards compatibility mode enabled and an empty expression. The current default role is “Member”. The default role will be changed to “No_Access” (on the November 2020 release) unless otherwise set specifically. It is therefore advised to set the default role in advance as a best practice and to prevent unwanted authorization results.
-
Improved user authorization flows when accessing the application through direct ARC or Dashboard links. Unauthenticated users will be redirected to their IDP auth page or to the Login page if they use basic authentication or have more than a single domain. Authenticated users without specific permission into an environment accessed through a direct link will receive a no-permissions error with basic details they can use to request access.
-
Added support with SAML assertions containing an ‘Unspecified’ KeyDescriptor.
Required Actions
Customers using SAML and SSO to authenticate & authorize need to take several actions when upgrading the backend with this release (4.53), while SaaS customers are required to contact our Support to review and update their SAML settings.
The properties mentioned here can be added to your backend my.server.properties file (for On-Premises deployments).
For SaaS configuration - contact our Support.
(1) If using the SAML Groups attribute to pass authorization information:
A. Set the attribute name or make sure that you are using the OverOps default name (overops-groups):
LDAP_SAML_GROUPS_FIELD_NAMES=
B. Make sure that the information passed in this attribute is full and correct for all users.
If for any reason you suspect that you have some missing values for some users or incorrect names on some of the environment names or roles (or if using old environments which have been removed by the Domain Initializer from the Domain's scope) you can set the Backwards-Compatability mode temporarily until 'cleaning up' or validating the authorization data for your domain users.
To enable the Backwards-Compatability mode for an On-Premesis deployment add the property:
SAML_GROUPS_ENABLE_BACKWARD_COMPATIBLE_MODE=true
(2) Set the default access role - when not using SAML groups, or when using SAML groups with an empty value and using the backwards compatibility mode - the default access role is used for all authenticated users on the domain scope.
To set the default role, add the following property:
SAML_BASIC_SSO_MODE_DEFAULT_ROLE=<Set one of the following options: No_Access / Viewer / Member>
Updated almost 2 years ago