Integration of Qualys with OKTA

Table of Contents
Integration of Qualys with OKTA..........................................................................................................1
Background........................................................................................................................................3
What is OKTA?...............................................................................................................................3
Why use OKTA for SSO?.................................................................................................................3
OKTA Components............................................................................................................................3
OKTA Definitions................................................................................................................................3
Authentication...............................................................................................................................3
Authorization.................................................................................................................................3
Single sign-on (SSO).......................................................................................................................4
OKTA Protocols..............................................................................................................................4
Applications...................................................................................................................................4
Application Integrations................................................................................................................4
Why use SAML?.............................................................................................................................4
OKTA SAML 2.0..............................................................................................................................5
Configuration of SAML SSO for Qualys..................................................................................................5
Pre-requisites for Qualys...............................................................................................................5
Request details for SAML SSO from Qualys Support......................................................................5
Enable SAML SSO for Qualys..........................................................................................................6
Enable SAML SSO for all new users................................................................................................7
Flow Diagram for SSO Integrations with Qualys............................................................................9
Onboarding of applications in OKTA....................................................................................................10
Flow Diagram...................................................................................................................................11
Walk-through of OKTA integration with Qualys...........................................................................11
OKTA Qualys Component Interaction..........................................................................................11
Background

What is OKTA?

The Okta Identity Cloud (Identity as a Service – IdaaS) platform provides secure identity

management with Single Sign-On, Multi-factor Authentication, Lifecycle Management (Provisioning),
etc. It connects any person with any application on any device. OKTA soft tokens are widely used for
multi-factor authentication - MFA (including Adaptive MFA). Adaptive MFA enforces the concept of
trust between the location from where the access is provided.

Why use OKTA for SSO?

Okta enables you to provide Single Sign-On (SSO) access to cloud, on-premise, and mobile
applications.
The users sign into Okta and can then launch any of the web apps without having to reenter the
credentials. This is analogous to login once and use it any number of times. It ensures that the users
are not required to remember several username – password credentials and a single username
password combination should suffice to login to the entire gamut of applications that the user is
assigned access to.

OKTA Components
1. OKTA Agents for synchronizing user accounts and groups from AD to OKTA cloud portal
2. OKTA Cloud Portal
3. OKTA MFA soft token for iPhone
4. OKTA MFA soft token for Android
5. OKTA MFA soft token for Desktop (Windows, MAC etc.)

OKTA Definitions

Authentication is the process or action of verifying the identity of a user or process. User
authentication for each device ensures that the individual using the device is recognized by the
company. Entering an account and password is a common form of authentication. OKTA supports
user interactive authentications and SSO. OKTA supports multi-factor authentication.

Authorization is a security mechanism used to determine user/client privileges or access levels

related to system resources, including computer programs, files, services, data and application
features. Authorization is normally preceded by authentication for user identity verification. Role-
based authorization is commonly used by applications to limit access for authenticated users to only
the programs, services, or application features which they are entitled. For example, access
manager entitlements may be used to authorize access to certain programs, services, or application
features.
Single sign-on (SSO) allows users to sign on once using one set of credentials, giving them one-
click access to all your applications. On-boarding your application to OKTA will provide this
capability via one of the protocols described below.

OKTA Protocols - There are currently three protocols supported by OKTA - SAML, LDAP and
RADIUS. When you on-board your application, you will need to select which protocol to use from
these choices.

Applications

The Okta Integration Network (OIN) is a catalog of thousands of pre-integrated applications that
make it easy to manage authentication and provisioning for all of your users. Okta enables admins to
provide SSO access to cloud, on-premise, and mobile applications. After the applications are
configured, end users can sign into Okta and then launch any of their web apps without having to
reenter their credentials.

Okta establishes a secure connection with a user's browser and then authenticates the user to Okta-
managed apps using one of two SSO integration methods:
1. Okta’s Secure Web Authentication (SWA)
2. Federated (supporting SAML or another proprietary federated authentication protocol)

Application Integrations

OKTA integrates with most of the applications that have a support for SAML protocol. SAML is an
industry standard way of establishing communication between an IdP (Identity Provider) and SP
(Service Provider). The OKTA Integration Network (OIN) contains a database of thousands of
applications such as AWS, GCP, G Suite, Office 365, HRMS applications etc.

Why use SAML?

The identity federation standard, Security Assertion Markup Language, or SAML, enables single sign-
on (SSO) and has a wide variety of uses. At Equifax, OKTA supports SAML for SSO. SAML transfers the
user's identity from the identity provider (OKTA) to the service provider (your application). This is
done through an exchange of digitally signed XML documents. These XML documents contain the
information required by the trusted parties within the SSO partnership. The service provider sends
an authentication request and the identify provider responds with the SAML assertion which
provides authentication to the service provider. Using SAML eliminates the need of configuring
additional network and firewall rules as the entire authentication flow happens over the user’s
browser. Enterprise applications which are not accessed via native mobile applications, and do not
use third-party API calls are best suited for SAML. If your application is licensed from a third party
vendor, you should find out whether the application supports SAML.
Vendor applications commonly support SAML directly and the application team is responsible for
enabling SAML on the application. Conversely, custom developed applications will need to leverage
3rd party libraries to implement the SAML capability. SAML is the most preferred authentication and
authorization framework, provided that your application can be (or already is) SAML enabled. There
is minimal configuration involved and the application can be on-boarded quite rapidly.

Please note that SAML is a browser based protocol and hence cannot be used to authenticate batch
or other back-end processes.

OKTA SAML 2.0

OKTA, while integrating with any Application using SAML 2.0 necessitates to have the following
information for a seamless SSO experience:

1. IdP MetaData: This variable is usually generated while adding a new application in OKTA SSO
onboarding. It varies from one application to another
2. IdP Issuer: This variable is generated by OKTA and must be entered in the Application which
is to be integrated with OKTA.
3. X.509 Certificate: This certificate establishes a chain of trust between OKTA and application
and ensures that the communication between the two is secure.
4. Login URL/SignOn URL: This URL will decide the landing page for the application when a user
logins to OKTA dashboard and clicks on the Application Icon.
5. Logout URL/SignOut URL: This URL can be anything. Either it is a customized Company page
stating that the user has successfully logged out or the company’s intranet portal.

Configuration of SAML SSO for Qualys

Pre-requisites for Qualys

1. Qualys Cloud Platform subscription

2. SAML SSO must be enabled for your subscription. Follow the below steps to request SAML
SSO on Qualys

Request details for SAML SSO from Qualys Support

1. Download and complete sections 1 and 2 of the SAML 2.0 Integration Request Form.
2. The following details need to be provided to Qualys Support. Click here for support contact.
a. Entity ID string from IdP (SAML Identity Provider)
b. Public key certificate for the IdP (your organization’s IdP base64 cert in .txt format)
c. Organization’s SAML IdP SSO URL (SP initiated authentication requests)
d. Qualys Subscription Login (for Manager POC)
 e. Custom exit URL for a subscription (optional)
3. Submit the form to Qualys Support
4. Qualys Support will work with you to configure the trust relationship between your Identity
Provider (IdP) and the Qualys SAML 2.0 Service Provider (SP). Qualys will provide you with 2
URLs: Identifier and Reply URL. You’ll need these URLs to configure OKTA Application
(Qualys)

Qualys Request
Form

Enable SAML SSO for Qualys

1. Enable SAML SSO for Qualys as shown below:

2. Set External ID

The external ID value corresponds to the qualysguard_external_id claim that is defined in your
OKTA SAML configuration. It is recommended that the external ID is set to the user’s email
address. However, this can be changed to another attribute present in the SAML Auth Response.
[Note:

The external ID can be set to any string but the string must be unique for each user in the
subscription and the same value should be passed in the claim.]

Enable SAML SSO for all new users

Go to Users > Setup > SAML SSO Setup. Select the option “Enable SAML SSO for new users”, as
shown below:
The Users list will show you whether users have SAML SSO enabled

Click the Search button (above the list) to quickly find accounts with SAML SSO disabled.
Select all the rows in your search results and pick Enable SAML from the Actions menu. Note that
you can disable SAML in this same way by choosing Disable SAML.

Flow Diagram for SSO Integrations with Qualys

Onboarding of applications in OKTA

1. Onboarding and provisioning of new applications in OKTA is managed by IAM team.

2. The onboarding process is still under consideration and being developed by IAM team. Upon
finalization of the said process and procurement of the Confluence reference links, the same
will be updated here.
Flow Diagram

Walk-through of OKTA integration with Qualys

OKTA Qualys Component Interaction