Adapting the SAML Identity Provider Attributes when Upgrading CxSAST V8.8 or v8.9 to v9.0 or v9.2

Owned by David P (Deactivated)
Last updated: Mar 07, 2021 by Johannes Stark (Unlicensed)
1 min read

This section guides you through the process of making the required changes to the SAML Identity Provider for User and Team Attributes when upgrading CxSAST v8.8 or v8.9 to CxSAST v9.0 or v9.2.

Contents

After upgrading SAST 9.0, make sure to modify the link for the Sign-On URL for the SAML server from http{s}://{server}:{port}/CxRestAPI/auth/samlAcs to http{s}://{server}:{port}/CxRestAPI/auth/identity/samlAcs. Otherwise the access link to the SAML server is broken as the login page of the SAML server cannot be reached.

Please note that the URL is case-sensitive.

Prerequisites

The following prerequisites apply:

  • Checkmarx CxSAST/CxOSA v9.0.0 (with Access Control migration performed)
  • Active SAML 2.0 identity provider account (e.g. OKTA)

User Attribute Changes

The following manual changes should be performed within the Identity Provider when upgrading from 8.8\8.9 to v9.x:

  • Change 'Organization_Tree' to 'Team' and define multi-value attribute
  • Update 'Role' to multi-value attribute
  • Remove 'Is_Auditor' and replace with a role
  • Remove 'Role_Attribute' and replace with a set of roles

Refer to Creating and Mapping User Attributes in OKTA for more information.

Team Attribute Changes

Each user can be assigned to multiple teams. A ‘String Array’ type should be defined for Team attribute. Each team assignment requires an additional sub-attribute. For v9.0.0, the backslash ‘\’ is replaced with a slash ‘/’.
For example: Team=/CxServer/Team1
                                /CxServer/Team2
                                /CxServer/Team3)

Refer to Creating and Mapping User Attributes in OKTA for more information.