How the authentication flows between Twistlock and SAML

How the authentication flows between Twistlock and SAML

0
Created On 11/27/19 17:00 PM - Last Modified 07/19/22 23:15 PM


Objective


Twistlock supports SAML federation with SAML 2.0 compliant Identity Providers.

Environment


All versions.

Procedure


The steps in the authentication flow between Twistlock and SAML are:
  • User browses to the Twistlock Console UI endpoint.
  • Twistlock redirects the user’s browser sessions to the registered IdP configured in Manage > Authentication > SAML This is known as the Authentication Request.
  • User authenticates at the IdP’s interface.
  • The IdP redirects the user’s browser back to the Twistlock authentication endpoint (https://tl_console:8083/api/v1/authenticate) with the SAML Response, which contains a token of claims.
A claim can be attributes of the user (e.g. name, group membership)i, and how they have authenticated.
  • Twistlock receives the SAML Response from the IdP.
  • Twistlock validates the digital signature of the SAML Response.
  • Twistlock validates that the Response Token’s Issuer value matches the Identity provider issuer value in the SAML settings for the IdP.
  • Twistlock looks for the groups claim values and attempts to match the group name in Manage > Authentication > Groups that are marked as SAML.
  • If the group assignment does not occur, Twistlock attempts to map the nameid claim value to SAML users in Manage > Authentication > Users.
  • If these checks pass, the user is authenticated to Twistlock.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNelCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail