About the Identity Provider Account and CDO User Record
To log in to Cisco Defense Orchestrator (CDO), a user needs two things: an account with a SAML 2.0 compliant identity provider (IdP) and a user record in CDO. The IdP account contains the user's credentials and the IdP authenticates the user based on those credentials. The CDO user record primarily identifies the username, the CDO tenant with which they are associated, and the user's role.
When a user logs in, CDO tries to map the IdP's SAML assertion that the user is authentic to an existing user record in CDO.
Customers who do not manage their own IdP's use CDO's OneLogin IdP by default. Customers can integrate their own IdP with CDO if they choose.
This is a simplified description of how the IdP account interacts with the CDO user record to log in a CDO user:
- The user requests access to CDO by trying to connect directly to the site https://defenseorchestrator.com or by connecting to a SAML 2.0 compliant identity provider (IdP) such as cdo.onelogin.com.
- The IdP authenticates the user.
- The IdP issues a SAML assertion that the user is authentic and redirects the user to https://defenseorchestrator.com.
- CDO validates the SAML assertion, extracts the username and attempts to find a user record corresponding to that username.
- If the user has a user record on a single tenant on CDO, CDO grants the user access to the tenant and the user's role determines the actions they can take.
- If the user has a user record on more than one tenant, CDO presents the authenticated user with a list of tenants from which to choose. The user picks a tenant and is allowed to access the tenant. The user's role on that specific tenant determines the actions they can take.
- If CDO does not have a mapping for the authenticated user to a user record on a tenant, CDO rejects the attempted login.
Creating a user record in CDO does not create an account in the IdP and creating an account in the IdP does not create a user record in CDO.
Similarly, deleting an account on the IdP does not mean you have deleted the user record from CDO; although, without the IdP account, there is no way to authenticate a user to CDO. Deleting the CDO user record does not mean you have deleted the IdP account; although, without the CDO user record, there will be no way for an authenticated user to access a CDO tenant.
Implications of this Architecture
Customers Who Use CDO's OneLogin Identity Provider
For customers who use CDO's OneLogin identity provider, they continue to need to open a support ticket with CDO to create a new OneLogin account for every user on their tenant. If they do not have user with a Super User role, they will also need to open a support ticket to elevate the role of one of its users from Admin to Super Admin. After that, the Super Admin can create, edit, and delete CDO accounts on their tenant.
Should the Super Admin ever need to prevent another user from accessing CDO, they can simply delete the CDO user's user record. The OneLogin account will still exist and if the Super Admin ever wants to restore the user, they can by creating a new CDO user record with the same username as the one used for OneLogin.
Should a customer ever run into a problem with CDO that requires a call to our Technical Assistance Center (TAC), the customer could create a user record for the TAC engineer, in a read-only role, so they could investigate the tenant and report back to the customer with information and suggestions.
Customers Who Have Their Own Identity Provider
For customers who have their own identity provider, they control both the identity provider accounts and the CDO accounts. These customers can create and manage identity provider accounts and user records in CDO for their users without opening a support ticket with CDO.
Should they ever need to prevent a user from accessing CDO, they can delete the IdP account, CDO user record, or both without opening a support ticket.
If they ever need help from Cisco TAC, they can create both the identity provider account and a CDO user record, with a read-only role, for their TAC engineer. The TAC engineer would then be able to access the customer's CDO tenant, investigate, and report back the customer with information and suggestions.
Cisco Managed Service Providers
If Cisco Managed Service Providers (MSPs) use CDO's OneLogin IdP, they request IdP accounts for themselves and their customers by opening a ticket with CDO. They will also need to open a ticket to elevate the role of one user on every tenant they manage to a Super Admin. After that, the Super Admin can create, edit, and delete CDO accounts on the tenants with which they are associated.