v2.20.4

Account

Changing user settings

The Account Settings page allows you to manage your Reblaze user accounts.

Tab: Your account details

Basic account settings

From this tab, you can reset your password, name, and phone number.

Settings for OTPs (One Time Passwords)

Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:

  • If only an email address is provided, the OTP will be sent via email.

  • If a phone number is provided, the OTP will be sent over SMS message.

  • As an alternative, you can also get a QR code for use in apps such as Google Authenticator (available for both Android and iPhone).

API Key

This tab also offers a personal API key, to be used in all requests to the Reblaze API.

Tab: Users management

This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.

Administration

An admin can:

  • Create a new user

  • Edit an existing user

  • Reset a user's password

  • Delete a user

When a user account is being edited, this will appear:

The available Access Levels are:

  • Viewer: can see the Traffic section, i.e. the Dashboard and View Log.

  • Editor: has all Viewer permissions, and can also configure security rulesets and policies in the Security and Settings sections.

  • Organization Admin: has all Editor permissions, and can also manage users via the Users Management page.

  • Reblaze Admin: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.

Tab: Single sign on configuration

This tab allows SSO to be configured so that users have the ability to log into Reblaze with their Okta or Microsoft accounts.

Configuration options will vary depending on the type of account.

Set up Okta SSO

1. Go to Okta, register and create an application:

Go to https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active

Click Add ApplicationCreate New App

Choose Platform: Web, Sign on method: SAML 2.0

2. Name it, setup links and attributes:

Single sign on URL:

RBZ_SSO_ASSERTION_URL env var. Value should look like: https://{CUSTOMER_DOMAIN}/sso/saml20/signon.

Audience URI (SP Entity ID):

RBZ_SSO_AUDIENCE_URL env var. Value should look like: https://{CUSTOMER_DOMAIN}/sso/saml20/audience

Attribute Statements:

emailaddress: user.email

displayname: user.firstName + " " + user.lastName

groups: appuser.rbzgroups

3. Custom User profile

In order to pass Admin group ID we need to add custom attribute to the user groups. Directory > Profile Editor > Apps > Click on Profile

Next step will be to map it.

Directory > Profile Editor > Apps > Click on Mappings

4. Assign the application to users

Create user groups for two possible access levels: Admin and Read-Only access.

Assign users to it. Group name is the string you need for RBZSSOSAML2_ADMINGROUP or place the group name into the Reblaze console SSO settings.

And in your just-created Application settings:

On the assignment step, a value will be required for the custom attribute which we configured before. For the admin group the value will be same as on RBZSSOSAML2_ADMINGROUP, while for the read-only group value it can be anything else.

5. Get Metadata XML link:

Add the URL to the XML metadata file to the RBZ_SSO_META_URL env var (and/or for Provider URL field in admin) The URL example: https://vreagles.okta.com/app/exkl1t3p61ek810CP5d6/sso/saml/metadata

6. Where to get RBZ_SSO_IDP_ISSUER:

Go to Applications, choose yours, Sign On tab, click on View Setup Instructions

There you'll find Identity Provider Issuer:

Set up Microsoft Azure SSO

1. Go to Azure PortalEnterprise applications

2. Choose + New Application+ Create your own application:

3. Choose option Integrate any other application you don't find in the gallery (Non-gallery) (this option will create SSO app):

4. Go to Single sign-on section and choose SAML:

5. Set up appropriate links:

RBZ_SSO_IDP_ISSUER should be provided by a customer and have to be unique for the customer’s SSO applications. The best option is to just use something like: https://customer_domain.com?sso=123. (the IDP Issuer field (in the console) should be identical to the Identifier field (in Azure)) 6. Get Metadata XML link and add to RBZ_SSO_META_URL environment variable:

7. Setup user.groups in User Attributes & Claims, so it send all groups related to the user:

Click on “+ Add a group claim”, choose:

  • All groups

  • Source attribute: Group ID

8. Add a user as a member of the application:

9. Get admin group ID from Azure and put it into RBZ_SSO_ADMIN_GROUP environment variable: Go to Azure Active DirectoryGroups, create a group.

Object ID is the string you need for RBZ_SSO_ADMIN_GROUP or place the group ID into the Reblaze console SSO settings:

And assign a user to the group:

PreviousGlobalNextBest Practices