Skip to main content

Configuring Authentication Method for Organization

Published on:
.
5 min read

After creating an organization associated with your SSE or higher edition license keys, you must first select and configure an authentication method to enable users to log into the organization. Zenconsole organization supports 3 authentication methods. You can use one of these methods to allow your gateways or endpoints to register with your organization:

  1. Google Cloud Identity
  2. SAML 2.0
  3. Built-in Authentication (Email & Password)
  4. Azure AD
info

One-Time Password support will be available soon.

1. Enabling Google Cloud Identity

To be able to use Google Workspace for identity management in your organization, you must integrate your Zenconsole organization with your Google Workspace. This integration ensures your organization's users and groups are automatically added and updated with regular syncs, keeping all information accurate and current without manual effort.

You may easily enable Google Cloud Identity for your organization and allow users to sign in to the organization using their Google Workspace accounts by following the next steps.

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to the Settings > Identity & Access Management page.

    Figure 1. Identity & Access Management page

  4. Go to Authentication Method pane at the top of the page.

  5. Click + Add Authentication Method drop-down menu at the top right of the pane. All supported authentication methods will appear.

    Figure 2. Selecting Authentication Method

  6. Click Google Cloud Identity option to configure Google Workspace as the organization authentication method. This will pop up the Google Cloud Identity configuration wizard window.

  7. Type the domain that you want to be synchronized with Zenconsole for user authentication. Users with email addresses from these domains can sign in to your organization.

    Figure 3. Adding Accepted Domains

  8. Click + Add Domain button. You may add as many domains as you need. Accepted domains will be automatically displayed below. You may quickly remove them by clicking the x icon next to the domain name if you need.

    Figure 4. Accepted Domains

  9. Click Continue to proceed with the Google Cloud Identity configuration. This will provide a link for the Google Cloud Identity integration and await authorization from your domain administrator.

    Figure 5. Generating Link and Waiting for Google IDP Authorization

  10. You may either click on the link if you have administrator privileges for your domain or copy it to share it with domain administrators. So that Zenconsole will be able to access your Google Workspace and synchronize with user accounts.

  11. Go to the link generated in the previous step and sign in to Google using an account with admin privileges.

    Figure 6. Signin Google with Admin Account

  12. Click Allow to give the required privileges on your domain to Zenconsole.

    Figure 7. Accepting Permission Requests

  13. You should observe that Zenconsole access has been granted to your domain. Zenconsole will now routinely update your users and groups, as they are now synchronized.

    Figure 8. Google Access Granted

  14. Click on the Zenconsole link which will redirect you to the organization Identity & Access Management page. You should see that Google is set Default authentication method for your organization.

    Figure 9. Google Default Authentication Method

warning

Beware that to let your domain users sign in to the organization, you will need to approve them by navigating to the Users settings page.

2. Enabling Generic SAML 2.0

You may use any identity provider, like Google or Okta, that supports SAML 2.0 single sign-on (SSO) authentication protocol as an identity provider for your organization. If you prefer to use SAML 2.0 protocol as your organization's authentication method, you must follow the next steps:

  1. Select an identity provider such as Okta that supports SAML 2.0 protocol.
  2. Create a SAML application on IdP provider and download the metadata file.
  3. Import the SAML IdP metadata file to your Zenconsole organization.

In this section, you will find the details about enabling SAML 2.0 and downloading the IdP metadata file on both service providers, Google and Okta. Lastly, we will explain how you can import SAML metadata to your organization on Zenconsole.

info

Beware that when you use the SAML 2.0 authentication method for your organization, you must add users and groups to the organization manually. On the other hand, if your organization has Google Workspace and you integrate Zenconsole organization with Google Cloud services as described in the previous section, all users and groups are automatically fetched and regularly synced.

Creating SAML2 IdP Metadata using Google Workspace

You may easily create an application and download IdP metadata on Google Workspace for your organization by following these steps:

  1. Sign in to your Google Admin console.

  2. In the Admin console, Navigate to Apps > Web and mobile apps on the left-side bar.

    Figure 10. Google Web and Mobile Apps

  3. Click Add app drop down menu and then select Add custom SAML app.

    Figure 11. Adding Custom SAML App

  4. Enter App Name, such as Zenarmor.

  5. Optionally you may type Description and add an icon for the app.

  6. Click Continue.

    Figure 12. Google SAML App Details

  7. Click Download Metadata button to download the IdP metadata file.

    Figure 13. Downloading Google IDP Metadata

  8. Click on the Save button to download the Google iDP metadata file in xml format to your local disk.

  9. Click Continue.

  10. Enter ACS URL, such as https://dash.zenarmor.com/saml/{domain}.

  11. Enter Entity ID, such as https://dash.zenarmor.com/saml/{domain}

  12. You may leave Name ID format and Name ID as default.

    Figure 14. Google iDP Service Provider Details

  13. Click Continue

  14. You may skip Attribute Mapping settings and, click Finish.

    Figure 15. Google Attribute Mapping

  15. Click on the User access pane.

    Figure 16. Google view saml conf

  16. Set Service status to ON for Everyone.

    Figure 17. Setting Google Service Status

  17. Click Save to activate settings.

Your Google IdP SAML 2.0 configuration is ready to use.

Creating SAML2 IdP Metadata using Okta

You may easily create an application and download IdP metadata on Okta for your organization by following these steps:

  1. Sign in to your Auth0.

    Figure 18. Auth0 Dashboard

  2. Navigate to the Applications > Applications on the left-side bar.

    Figure 19. Navigate Applications

  3. Click + Create Application to add an application.

  4. Enter Name, such as Zenarmor and then click Create. You may leave the Application Type option as Native, default. This will automatically create your app.

    Figure 20. Naming Application

  5. Go Addons tab on your new application dashboard.

    Figure 21. App Dashboard

  6. Enable SAML2 WEB APP by clicking on the toggle bar. This will launch the SAML2 Web App Addon window.

    Figure 22. Enabling SAML2 WEB APP

  7. Click on Download link next to Identity Provider Metadata in the SAML2 Web App Addon Usage tab.

    Figure 23. SAML2 Web App Addon Usage

  8. Click on the Save button to download the iDP metadata file to your local disk.

  9. Navigate to Settings tab in the SAML2 Web App Addon window.

  10. Enter Application Callback URL, such as https://dash.zenarmor.com/saml/{domain}.

    Figure 24. Setting Application Callback URL

  11. Navigate to the bottom of the window and then click Enable.

  12. Close SAML2 Addon.

  13. Navigate to the Settings tab.

    Figure 25. App Settings

  14. Scroll down to the Application URIs section.

    Figure 26. Updating Application URI

  15. Enter Application Login URI, such as https://dash.zenarmor.com/saml/{domain}.

  16. Enter Allowed Callback URLs, such as https://dash.zenarmor.com/saml/{domain}.

  17. Enter Allowed Web Origins, such as https://dash.zenarmor.com.

  18. Click Save Changes to activate settings.

Importing SAML 2 IdP Metadata on Zenconsole

To complete SAML2 authentication configuration, you may quickly import your SAML 2.0 IdP metadata file you have recently created on the identity provider IdP website into the Zenconsole by following the next steps.

  1. Login Zenconsole.

  2. Select the organization that you have recently created.

  3. Navigate to the Settings > Identity & Access Management.

    Figure 27. Identity Access Management Settings Page

  4. Go to Authentication Method pane at the top of the page.

  5. Click + Add Authentication Method drop-down menu at the top right of the pane. All supported authentication methods will appear.

    Figure 28. Selecting Authentication Method

  6. Click Generic SAML 2.0 menu to configure the SAML 2.0 protocol as the organization authentication method. This will open the SAML 2.0 configuration window.

    Figure 29. Configure SAML

  7. You may copy the URL supplied in the window and integrate your identity provider and Zenconsole if you have not already done so.

  8. Click Upload Metadata button to upload IdP metadata file. This will open file browser.

  9. Select xml metadata file you have recently downloaded from identity provider and then click Open. This will upload the metadata file used for the SAML 2.0 integration.

    Figure 30. Selecting Metadata File

  10. Click the Save Configuration button below to save the configuration and enable SAML 2.0 integration. Once the configuration is saved, the SAML 2.0 integration will be default authentication method for all users in this organization.

    Figure 31. Enabling SAML Integration

  11. You may check the Identity Provider (IdP) URL and Certificate Expiration date in the Generic SAML 2.0 configuration window.

    Figure 32. Generic SAML Configuration Completed

  12. Click Close to complete the generic SAML2 configuration.

  13. Now, you will see that SAML 2.0 is configured as the default authentication method for your organization.

    Figure 33. IAM Settings with-SAML Enabled

info

After enabling SAML 2.0 authentication method for your organization, do not forget to add users via the Users settings page. Otherwise, you may not be able to define user-based policies, or endpoints can not sign into the organization.

3. Enabling Built-in Authentication (Email & Password)

Zenconsole allows users to sign in to the organization with their email addresses and passwords. You may easily activate email and password option for the authentication method by following these steps.

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to the Settings > Identity & Access Management page.

    Figure 34. Identity Access Management Settings

  4. Go to Authentication Method pane at the top of the page.

  5. Click + Add Authentication Method drop-down menu at the top right of the pane. All supported authentication methods will appear.

    Figure 35. Selecting Authentication Method

  6. Click Built-in Authentication option to configure the organization authentication method. This will pop up the Email/Password configuration wizard window.

    Figure 36. Enabling Email/Password

  7. Click Enable Built-in Authentication button to enable users to login using their emails and passwords. No further configuration is required.

  8. Click Close to activate the settings.

warning

Beware that when you use the Built-in Authentication authentication method for your organization, you must add users and groups to the organization manually. On the other hand, if your organization has Google Workspace and you integrate Zenconsole organization with Google Cloud services as described in the previous section, all users and groups are automatically fetched and regularly synced.

tip

If you configure Built-in Authentication as the default authentication method for your organization, users must set their passwords manually during their first login attempts. They will receive a verification code to be able to set their organization passwords safely.

Figure 37. Verification Email

4. Enabling Azure AD

To be able to use Azure AD for identity management in your organization, you must integrate your Zenconsole organization with your Azure account. This integration ensures your organization's users and groups are automatically added and updated with regular syncs, keeping all information accurate and current without manual effort.

You may easily enable Azure AD for your organization and allow users to sign in to the organization using their Azure AD accounts by following the next steps.

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to the Settings > Identity & Access Management page.

    Figure 38. Identity & Access Management page

  4. Go to Authentication Method pane at the top of the page.

  5. Click + Add Authentication Method drop-down menu at the top right of the pane. All supported authentication methods will appear.

    Figure 39. Selecting Azure for Authentication Method

  6. Click Azure AD option to configure Azure AD as the organization authentication method. This will pop up the configuration wizard window.

  7. Type the domain that you want to be synchronized with Zenconsole for user authentication. Users with email addresses from these domains can sign in to your organization.

  8. Click + Add Domain button. You may add as many domains as you need. Accepted domains will be automatically displayed below. You may quickly remove them by clicking the x icon next to the domain name if you need.

  9. Click Continue to proceed with the Azure AD configuration. This will provide a link for the Azure AD integration and await authorization from your domain administrator.

    Figure 40. Adding Accepted Domains and Waiting for Azure AD

  10. You may either click on the link if you have administrator privileges for your domain or copy it to share it with domain administrators. So that Zenconsole will be able to access your Azure AD and synchronize with user accounts.

  11. Go to the link generated in the previous step and sign in to Azure using an account with admin privileges.

  12. Click Accept to give the required privileges on your domain to Zenconsole.

    Figure 41. Accepting Permission Requests

  13. You should observe that Zenconsole access has been granted to your domain. Zenconsole will now routinely update your users and groups, as they are now synchronized.

    Figure 42. Google Access Granted

  14. Click on the Zenconsole link which will redirect you to the organization Identity & Access Management page. You should see that Azure AD is set Default authentication method for your organization.

warning

Beware that to let your domain users sign in to the organization, you will need to approve them by navigating to the Users settings page.

warning

Even if you enable Azure Active Directory (AD) as an authentication method in your organization, it's important to enforce Single Sign-On (SSO) authentication. This is necessary in order to view the usernames of users who connect to the network through a gateway, such as OPNsense or pfSense software, in your reports.

Reconfiguring Authentication Methods

You may easily update your existing authentication methods by following the next steps.

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to the Settings > Identity & Access Management page.

  4. Go to Authentication Method pane at the top of the page.

  5. Click the Actions menu with 3-dot ... icon next to the authentication method that you want to reconfigure. This will open a drop-down menu.

    Figure 43. Authentication Method Actions

  6. Click Configure menu to update settings. This will open authentication configuration window.

    Figure 44. Reconfiguring Authentication Methods

  7. Click Reconfigure button.

  8. Upload new metadata by clicking on the Upload Metadata button.

  9. Click Save Configuration button to save the new configuration.

  10. Click Close.

Removing Authentication Methods

You may easily delete your existing authentication methods by following the next steps.

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to the Settings > Identity & Access Management page.

  4. Go to Authentication Method pane at the top of the page.

  5. Click the Actions menu with 3-dot ... icon next to the authentication method that you want to remove. This will open a drop-down menu.

  6. Click Configure menu to update settings. This will open the authentication configuration window.

    Figure 45. Removing Authentication Methods

  7. Click Remove Configuration button. A notification will appear to confirm the removal.

  8. Click Remove to delete the authentication method.

Setting Default Authentication Methods

You may easily change the default authentication method if you have multiple methods by following the next steps.

  1. Login Zenconsole.

  2. Select the organization you want to manage.

  3. Navigate to the Settings > Identity & Access Management page.

  4. Go to Authentication Method pane at the top of the page.

  5. Click the Actions menu with 3-dot ... icon next to the authentication method that you want to set as default. This will open a drop-down menu.

    Figure 46. Setting Default Authentication Methods

  6. Click Set as Default menu to update settings. A notification will appear to confirm the new settings.

  7. Click Set as Default to save the settings.

Video

Here is the hands on video for Zenarmor IAM Management feature.

Last updated on by Zenarmor