27.18 Configuring Integration with ArcSight

This section provides the information on integrating Advanced Authentication with ArcSight and to achieve single sign-on (SSO) to ArcSight.

To configure the integration of Advanced Authentication with ArcSight, perform the following tasks:

27.18.1 Configuring ArcSight

  1. On the NFS server, open the sso-configuration.properties file, located by default in the <arcsight_nfs_vol_path>/sso/default directory.

    <arcsight_nfs_vol_path> is the nfs volume used for CDF installation.

    For example: /opt/NFS_volume/arcsight-volume. This location might vary based on the version of ArcSight.

  2. In the configuration directory, open the sso-configuration.properties file and add the following properties:

    com.microfocus.sso.default.login.method = saml2

    com.microfocus.sso.default.saml2.enabled = true

    com.microfocus.sso.default.login.saml2.mapping-attr = mail

    com.microfocus.sso.default.login.saml2.identifierFormat = emailAddress

  3. Download the SAML2 metadata from Advanced Authentication server.The URL to download the metadata:

    https://<AA Server hostname>/osp/a/<Tenant Name>/auth/saml2/metadata

  4. Convert the metadata xml file to base64 string and set the following variable:

    com.microfocus.sso.default.login.saml2.metadata = <base64 encoded metadata xml>

  5. Save the changes in the sso-configuration.properties file.

    Ensure, there are no additional spaces at the end of properties.

  6. Restart the pod to apply the new configuration.

    • Get the pod information using following command:

      kubectl get pods --all-namespaces | grep fusion-single-sign-on

    • Delete the current running pod using following command:

      kubectl delete pod fusion-single-sign-on-xxxxxxxxxx-xxxxx -n arcsight-installer-xxxxx

    New pod is initiated with new configuration.

  7. Retrieve the Fusion SSO SAML service provider metadata from the server.

    https://EXTERNAL_ACCESS_HOST/osp/a/default/auth/saml2/spmetadata

    where, EXTERNAL_ACCESS_HOST is the hostname of the server.

    This metadata must be uploaded in Advanced authentication SAML2 configuration.

    For more information, see Configuring SAML Authentication in ArcSight.

27.18.2 Configuring the SAML 2.0 Event on Advanced Authentication

  1. Open the Advanced Authentication Administration portal.

  2. Click Events > New Event.

  3. Create an event with the following parameters:

    • Name: specify a preferred name that indicates the use of this event. For example, ArcSight

    • Event Type: SAML2

    • Chains: select the required chains.

    • SP SAML 2.0 meta data: Paste the content of the file https://EXTERNAL_ACCESS_HOST/osp/a/default/auth/saml2/spmetadata

      or

      • Click Choose File and upload the saved XML file.

  4. Set Send E-Mail as NameID (suitable for G-Suite) to ON.

  5. Click Save.

27.18.3 Authenticating on ArcSight with SAML 2.0

Open the ArcSight login page, the page redirects to the Advanced Authentication server, where the user must authenticate. After successful authentication, the Advanced Authentication server redirects the user back to ArcSight Dashboard page.