Single sign-on (SSO) is a method for authenticating user access to multiple applications using a single set of login credentials. This article provides an overview of SSO in Nebula and how to configure this option.
On the left navigation menu, go to Configure > Single Sign-On to configure SSO. SSO is turned off by default.
Enable SSO to allow Nebula to control logins through your identity provider.
Link your SSO tool to Nebula
For SSO to work, connect Nebula to your provider.
- Use your single sign-on tool to generate an XML file. This file is used to integrate your tool with Nebula. If you need assistance generating this file, contact your SSO provider.
- Drag the generated XML file onto the Upload New Metadata XML box. You may upload a new XML at any time to change SSO settings.
- Click SAVE.
Link Nebula to your single-sign on tool
Now that Nebula has your SSO tool XML data, you need to provide similar data from Nebula to your SSO tool.
- Scroll down to Malwarebytes Service Provider Details.
- Click the link next to Service Provider Metadata.
- Your web browser downloads a metadata.xml file.
- Upload this file to your single sign-on tool.
If your single sign-on tool needs additional details, refer to the other on-screen items in this section.
Enable the Service Provider Initiated SSO setting to have Nebula use your email address to perform an identity provider lookup. When the lookup succeeds, future logins route through your identity provider’s existing login methods. If the lookup does not succeed, future logins prompt for a password.
Enable Just-in-Time (JIT) Provisioning to allow IT administrators to determine if Nebula automatically creates a user account when a new user attempts to log in. If the new user's role is specified in the SAML Assertion, that role is assigned to the user within Nebula.
Nebula expects the following SAML Attributes:
- email: Required.
- display_name: Optional. If left blank, the user's email address is used.
- role: Optional. Values can be ReadOnly, Admin, and SuperAdmin. If a role isn't selected, ReadOnly is used.
ReadOnly or Admin roles are only allowed access to the Default Group. Super Admin roles are given access to all groups.