This topic describes how to integrate the ADFS IdP with Carbon Black EDR.

Prerequisites

To configure ADFS, refer to your Microsoft documentation.

Procedure

  1. Acquire metadata XML from the ADFS IdP and place it in the /etc/cb/sso directory on the Carbon Black EDR server host. (You are not required to use this directory, but it is a good default location.)
  2. On the Carbon Black EDR server, navigate to /etc/cb/sso and:
    1. Copy /etc/cb/sso/sso.conf.example.adfs to /etc/cb/sso/sso.conf.
    2. Copy attr_map.py.example.adfs to attr_map.py.
      Note:

      Make appropriate changes to the attr_map.py file based on the attributes that are returned from ADFS. Each configurable property is accompanied with inline documentation in the attr_map.py file to assist with this process.

  3. In the /etc/cb/sso/sso.conf file:
    Caution:

    The syntax of this configuration file must fully conform to the JSON data-interchange format. Failure to do so can create an invalid configuration file, which prevents the cb-coreservices services from launching properly. When changes are made to this file and cb-enterprise is restarted, check / var/log/cb/coreservices/debug.log to make sure that there are no errors.

    1. Specify the file path to the location of the metadata XML from the ADFS IdP. For example: 
      "metadata": {
      "local": [
        "<file path to location of IdP XML>"
      ]
    },
    2. Make sure the attribute_mapper field has the path to the Python Mapper file:
      "attribute_mapper": "/etc/cb/sso/attr_map.py",
    3. Change the accepted_time_diff field if needed: 
      "accepted_time_diff": 600,
    4. Update the service / sp / idp section with the appropriate appid from the ADFS IdP. For example: 
      "service": {
 "sp": {
   "idp": {
     # EntityId of the IDP
     "https://fakeipd.example.com": {
    5. Update the single_sign_on_service and single_logout_service sections with the appropriate name and appid from the ADFS IdP For example: 
      # URLs in this section MUST be updated to match the URLs defined
# by the IdP you are integrating with
"single_sign_on_service": {
   "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://fakeipd.adfs.com/adfs/ls/"
},

"single_logout_service": {
   "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://fakeipd.adfs.com/adfs/ls/?wa=wsignout1.0"
}
    6. In the endpoints section, update the assertion_consumer_service and single_logout_service fields with the appropriate IP address of FQDN of Carbon Black EDR. For example: 
      "endpoints": {
   "assertion_consumer_service": {
      "https://<IP Address or FQDN of the EDR Server>/api/saml/
assertion":"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   },
   "single_logout_service": {
      "https://<IP Address or FQDN of the EDR Server>/api/saml/
logout": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   }
},
    7. Update the entityid field with the appropriate IP address or FQDN of the Carbon Black EDR server. For example: 
      "entityid": "https://<IP Address or FQDN of the EDR Server>/",
    8. Search the sso.conf file for “TODO” and ensure that all “TODO” tasks are completed.
  4. Open the /etc/cb/cb.conf file and edit the SSOConfig property so that it contains the full path to the SSO configuration file created in the previous steps. This single property defines whether Carbon Black EDR server will be started in standalone or federated authentication mode.
    Note:

    To deactivate SSO integration, comment out the SSOConfig property.

  5. Generate the Carbon Black EDR server’s SSO service provider metadata XML file by issuing the following command: 
    /usr/share/cb/cbssl sso --make-metadata > /<your file path>
  6. Give the file to the IdP to complete the trust.
  7. Restart the Carbon Black EDR server by issuing the following command: 
    sudo service cb-enterprise restart