About the Identity Provider Account and CDO User Record
To log in to Cisco Defense Orchestrator (CDO), a customer needs an account with a SAML 2.0-compliant identity provider (IdP), a multi-factor authentication provider, and a user record in CDO. The IdP account contains the user's credentials and the IdP authenticates the user based on those credentials. Mutli-factor authentication provides and added layer of identity security. The CDO user record primarily contains the username, the CDO tenant with which they are associated, and the user's role. When a user logs in, CDO tries to map the IdP's user ID to an existing user record on a tenant in CDO. When CDO finds a match, the user is logged in to that tenant.
Unless your enterprise has its own single sign-on identity provider, your identity provider is Cisco Secure Sign-on. Cisco Secure Sign-On uses Duo for mutli-factor authentication. Customers can integrate their own IdP with CDO if they choose.
This is a simplified description of how the IdP account interacts with the CDO user record to log in a CDO user:
- The user requests access to CDO by trying to connect directly to https://defenseorchestrator.com or https://defenseorchestrator.eu and they are redirected to a SAML 2.0-compliant identity provider (IdP) such as Cisco Secure Sign-On (https://security.cisco.com) for authentication.
- The IdP issues a SAML assertion that the user is authentic and redirects the user to https://defenseorchestrator.com or https://defenseorchestrator.eu.
- CDO validates the SAML assertion, extracts the username and attempts to find a user record among its tenants that corresponding to that username.
- If the user has a user record on a single tenant on CDO, CDO grants the user access to the tenant and the user's role determines the actions they can take.
- If the user has a user record on more than one tenant, CDO presents the authenticated user with a list of tenants they can choose from. The user picks a tenant and is allowed to access the tenant. The user's role on that specific tenant determines the actions they can take.
- If CDO does not have a mapping for the authenticated user to a user record on a tenant, CDO displays a landing page giving users the opportunity to learn more about CDO or request a free trial.
Creating a user record in CDO does not create an account in the IdP and creating an account in the IdP does not create a user record in CDO.
Similarly, deleting an account on the IdP does not mean you have deleted the user record from CDO; although, without the IdP account, there is no way to authenticate a user to CDO. Deleting the CDO user record does not mean you have deleted the IdP account; although, without the CDO user record, there will be no way for an authenticated user to access a CDO tenant.
Implications of this Architecture
Customers Who Use Cisco Secure Sign-On
For customers who use CDO's Cisco Secure Sign-On identity provider, a Super Admin can create a user record in CDO and a user can self-register themselves with CDO. If the two usernames match, and the user is properly authenticated, the user can log in to CDO.
Should the Super Admin ever need to prevent a user from accessing CDO, they can simply delete the CDO user's user record. The Cisco Secure Sign-On account will still exist and if the Super Admin ever wants to restore the user, they can by creating a new CDO user record with the same username as the one used for Cisco Secure Sign-On.
Should a customer ever run into a problem with CDO that requires a call to our Technical Assistance Center (TAC), the customer could create a user record for the TAC engineer so they could investigate the tenant and report back to the customer with information and suggestions.
Customers Who Have Their Own Identity Provider
For customers who have their own identity provider, they control both the identity provider accounts and the CDO accounts. These customers can create and manage identity provider accounts and user records in CDO.
Should they ever need to prevent a user from accessing CDO, they can delete the IdP account, the CDO user record, or both.
If they ever need help from Cisco TAC, they can create both the identity provider account and a CDO user record, with a read-only role, for their TAC engineer. The TAC engineer would then be able to access the customer's CDO tenant, investigate, and report back the customer with information and suggestions.
Cisco Managed Service Providers
If Cisco Managed Service Providers (MSPs) use CDO's Cisco Secure Sign-On IdP, they can self-register for Cisco Secure Sign-On and their customers can create a user record for them in CDO so that the MSP can manage the customer's tenant. Of course, the customer has full control to delete the MSP's record when they choose to.