This topic describes how to integrate the Shibboleth IdP with Carbon Black EDR.

Procedure

  1. Acquire metadata XML from the Shibboleth IdP and place it in the /etc/cb/sso directory on the Carbon Black EDR server host. (You are not required to use this directory, but it is a good default location.)
  2. On the Carbon Black EDR server, navigate to /etc/cb/sso and:
    1. Copy /etc/cb/sso/sso.conf.example.shib to /etc/cb/sso/sso.conf.
    2. Copy attr_map.py.example.shib to attr_map.py.
      Note:

      Make appropriate changes to the attr_map.py file based on the attributes returned from Shibboleth. Each configurable property is accompanied with additional inline documentation in the attr_map.py file to assist with this process.

  3. In the /etc/cb/sso/sso.conf file:
    Caution:

    The syntax of this configuration file must fully conform to the JSON data-interchange format. Failure to do so can create an invalid configuration file, which will prevent the cb-coreservices services from launching properly. When changes are made to this file and cb-enterprise is restarted, check /var/log/cb/coreservices/debug.log to for errors.

    1. Specify the file path to the location of the metadata XML from the Shibboleth IdP. For example:
      "metadata": {
            "local": [
              "<file path to location of IdP XML>"
            ]
          },
    2. Make sure the attribute_mapper field has the path to the Python Mapper file:
      "attribute_mapper": "/etc/cb/sso/attr_map.py",
    3. Change the accepted_time_diff field if needed:
      "accepted_time_diff": 600,
    4. Update the service / sp / idp section with the Shibboleth IdP. For example:
      "service": {
       "sp": {
         "idp": {
           # EntityId of the IDP
           "https://fakeipd.example.com": {
    5. Update the single_sign_on_service and single_logout_service sections with the appropriate name and appid from the Shibboleth IdP. For example:
      # URLs in this section MUST be updated to match the URLs defined # by the IdP you are integrating with
      "single_sign_on_service": {
       	  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://fakeipd.example.com/saml2/idp/SSOService"
      },
      "single_logout_service": {
       	  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://fakeipd.example.com/saml2/idp/SingleLogoutService"
      }
    6. In the endpoints section, update the assertion_consumer_service and single_logout_service fields with the appropriate IP address of FQDN of Carbon Black EDR. For example:
      "endpoints": {
         "assertion_consumer_service": {
            "https://<IP Address or FQDN of the EDR Server>/api/saml/
      assertion":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         },
         "single_logout_service": {
            "https://<IP Address or FQDN of the EDR Server>/api/saml/
      logout": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
         }
      },
    7. Update the entityid field with the appropriate IP address or FQDN of the Carbon Black EDR server. For example:
      "entityid": "https://<IP Address or FQDN of the EDR server>/",
    8. Search the sso.conf file for “TODO” and ensure that all “TODO” tasks are completed.
  4. Open the /etc/cb/cb.conf file and edit the SSOConfig property so that it contains the full path to the SSO configuration file created in the previous steps. This single property idefines whether Carbon Black EDR server will be started in standalone or federated authentication mode.
    Note:

    To deactivate SSO integration, comment out the SSOConfig property.

  5. Generate Carbon Black EDR server’s SSO service provider metadata XML file by issuing the following command:
    /usr/share/cb/cbssl sso --make-metadata > /<your file path>
  6. After this file is created, you must give it to the identity provider to complete the trust.
  7. Restart the Carbon Black EDR server by issuing the following command:
    sudo service cb-enterprise restart