After you configure the SAML provider, you can authenticate users in the Google SecOps SOAR platform, as follows:
Go toSOAR Settings>Advanced>External Authentication.
On theProviderpage, clickaddAdd.
In theProvider Typefield, select the required SAML provider. For example,OktaorGoogle Workspace.
In theProvider Namefield, enter the name of the instance. For example,Okta Customer name.
Set theConfigurationsettings using the following details:
Field
Description
Provider name
Name of the SAML provider.
IDP Metadata
SAML metadata that shares configuration
information between the Identity Provider (IdP) and the Service
Provider (SP). If you use a certificate, setWantAuthnRequestsSigned="true"in the XML;
otherwise, set it tofalse.
Identifier
The SP ID in the SAML provider.
This term is referred to asEntity IDin Google Workspace,
though service providers can use different names.
ACS URL
Google SecOps SOAR
server name. Can be an IP URL, Hostname URL, or Local Host
URL. To sign in with SAML, you must do the following:
Connect to the platform with the same
URL pattern as configured in this field.
Make sure that the URL contains the IP address of the Google SecOps SOAR server,
followed by/saml2.
Unsolicited Response
This setting is also known as anIdP-Initiated response. It lets SAML users access the Google SecOps SOAR platform directly from their IdP application. For example, if your company uses Okta, users can enter Google SecOps SOAR directly through the Okta application.
Auto-redirect
Auto-redirect automatically sends users who aren't signed in to the IdP login page. To force a user to sign in to the platform directly, append?autoExternalLogin=falseto the URL.
Example:https://example.com/#/login?autoExternalLogin=false.
ClickTestto verify that the configuration works.
ClickSave.
Select one of the user creation types as needed:
Manual: Add users, individually,
in theUser Managementwindow. For
details on how to add users, seeManage users.
Just in Time: Automatically create the user (at login) in Google SecOps. When you select this option, an advanced tab opens
with more parameters. For details, seeConfigure just-in-time provisioning.
IdP Group Mapping: Create the user automatically in Google SecOps based on the IdP group assignment. When you select this
option, an advanced tab opens with more parameters. For more information on IdP group mapping, seeMap IdP groups to SOAR roles.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[[["\u003cp\u003eThis guide is specifically for configuring SAML authentication for the standalone Google Security Operations SOAR platform.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves configuring a SAML provider, which can be Okta, Google Workspace, or Azure, and the documentation provides specific instructions for each.\u003c/p\u003e\n"],["\u003cp\u003eThe configuration steps are completed in the SOAR settings under \u003cstrong\u003eExternal Authentication\u003c/strong\u003e, where you will add a provider with relevant information, including provider name, IDP Metadata, Identifier, and ACS URL.\u003c/p\u003e\n"],["\u003cp\u003eAfter configuring the provider, you can choose between Manual, Just-in-Time, or IdP Group Mapping user creation methods to manage users within the SOAR platform.\u003c/p\u003e\n"],["\u003cp\u003eUnsolicited Response and Auto-redirect are available options for specific sign in situations, however these only work when one SAML provider is configured within the SOAR platform.\u003c/p\u003e\n"]]],[],null,["# Authenticate users using SSO (SOAR only)\n========================================\n\nSupported in: \n[SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n| **Note:** This document is for customers using the standalone SOAR platform only.\n\nThis document describes how to configure a SAML provider. \n\n- If you are using Okta -- read [Configure\n Okta in Google Security Operations SOAR](/chronicle/docs/soar/admin-tasks/saml-soar-only/saml-configuration-for-okta) first.\n- If you're using Google Workspace, see [SAML\n configuration for Google Workspace](/chronicle/docs/soar/admin-tasks/saml-soar-only/saml-configuration-for-g-suite) first.\n- If you're using Azure, see [SAML\n configuration for Azure](/chronicle/docs/soar/admin-tasks/saml-soar-only/saml-configuration-for-azure) first.\n\n\u003cbr /\u003e\n\nThere are several different ways to authenticate users in the Google SecOps SOAR platform after you configure the SAML provider. Use the following procedure to authenticate users:\n\n1. Go to **SOAR Settings \\\u003e Advanced \\\u003e External Authentication**.\n2. Click add **Add** in the Provider screen.\n3. In the **Provider Type** field, select the required SAML provider. For example, Okta or Google Workspace.\n4. In the **Provider Name** field, enter the name of the instance. For example, Okta Customer name.\n5. For **Configuration** settings, fill out the fields as detailed in the following table:\n\n6. Click **Test** to verify that the configuration works.\n7. Click **Save**.\n8. Select one of the user creation types as needed:\n - **Manual** : Add users, individually, in the **User Management** window. For information on how to add users, see [Add users to the platform](/chronicle/docs/soar/admin-tasks/user-soar-only/how-do-i-add-a-new-user-to-the-platform).\n - **Just in Time** : Automatically create the user (at log in) in Google SecOps. When you select this option, an advanced tab opens with more parameters. For more information, see [Just in Time Provisioning](/chronicle/docs/soar/admin-tasks/saml-soar-only/what-is-justintime-user-provisioning).\n - **IdP Group Mapping** : Create the user automatically in Google SecOps based on the IdP group assignment. When you select this option, an advanced tab opens with more parameters. For more information on IdP group mapping, see [IdP group mapping (SOAR only)](/chronicle/docs/soar/admin-tasks/saml-soar-only/idp-group-mapping-soar-only).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
