The Carbon Black App Control Console can be integrated with identity providers (IdPs) that use the Security Assertion Markup Language (SAML). This integration allows you to require two-factor authentication (2FA) for logging in to the Carbon Black App Control Console for compliance purposes or to meet your own best practice standards.
Integrating a SAML identity provider with Carbon Black App Control requires the following:
- An account with an IdP whose sign-on and logout locations have a binding of type HTTP-redirect.
- For each IdP identity, mapping requires specification of an email address from the IdP account using one of the following attributes:
- A
NameIDof typeurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - An attribute with the name
EmailAddress(capitalized as shown here)
- A
-
A Carbon Black App Control login account matching the value of
NameIDorEmailAddressfor each IdP user you want to give access to the console. If you are unfamiliar with creation of login accounts, see Creating Login Accounts in the Console for instructions.Note: This integration allows you to use SAML to authenticate existing Carbon Black App Control accounts. It does not import accounts from an IdP to Carbon Black App Control. If bothNameIDandEmailAddressare found, theEmailAddressattribute is always used, and it must match the email address in an Carbon Black App Control account.NameIDis not used as a backup ifEmailAddressexists. - Completion of the configuration procedures that are described in this section.
