Account

The Account Settings page allows you to manage your Reblaze user accounts.

Tab: Your account details

Basic account settings

From this tab, you can reset your password, name, and phone number.

Settings for OTPs (One Time Passwords)

Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:

• If only an email address is provided, the OTP will be sent via email.

• If a phone number is provided, the OTP will be sent over SMS message.

• As an alternative, you can also get a QR code for use in apps such as Google Authenticator (available for both Android and iPhone).

API Key

This tab also offers a personal API key, to be used in all requests to the Reblaze API.

Tab: Users management

This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.

Administration

An admin can:

• Create a new user

• Edit an existing user

• Reset a user's password

• Delete a user

When a user account is being edited, this will appear:

The available Access Levels are:

• Viewer: can see the Traffic section, i.e. the Dashboard and View Log.

• Editor: has all Viewer permissions, and can also configure security rulesets and policies in the Security and Settings sections.

• Organization Admin: has all Editor permissions, and can also manage users via the Users Management page.

• Reblaze Admin: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.

Tab: Single sign-on configuration

This tab allows SSO to be configured so that users have the ability to log into Reblaze with their Okta or Microsoft Azure accounts.

Configuration options will vary depending on the type of account.

Setting up SSO through Okta

1. Initial Okta setup

Go to Okta. At the top of the page, click "Try Okta", register and create an application:

• Go to https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active

• Click Add Application → Create New App

• Choose Platform: Web and Sign on method: SAML 2.0

2. Name it, setup links and attributes:

Give your app a name and click Next:

Now, configure the SAML integration, as shown in the screen below.

In the Single sign-on URL field, enter the URL in the following format:

https://{REBLAZE_CONSOLE_DOMAIN}/sso/saml20/signon

In the Audience URI field, enter the URI in the following format:

https://{REBLAZE_CONSOLE_DOMAIN}/sso/saml20/audience

[Obtain Reblaze Console Domain URL from the Reblaze Log In.]

Next, scroll down to the Attribute Statements (optional) section.

1. In the Name column, write emailaddress; in the Value column, write user.email

2. Click Add Another.

3. In the Name column, write displayname; in the Value column, write user.firstName + " " + user.lastName

4. Click Add Another.

5. In the Name column, write groups; in the Value column, write appuser.rbzgroups

6. Scroll down, click Preview the SAML Assertion, then click Next.

The screen shown below will appear. Select I'm an Okta customer adding an internal app, then click Finish at the bottom of the screen.

3. Custom User profile

Next, the Reblaze Admin group ID must be configured.

On the left side of the Okta screen, under Directory, go to Profile Editor . The screen below will appear.

In the Users tab, select Apps.

Scroll down and in the list of Profiles, locate and then click {$APP_NAME} User, where {$APP_NAME} is the name you assigned to your app earlier.

The following screen will appear. Under Attributes, click + Add Attribute.

An Add Attribute window will appear. Complete the fields as shown below, then click Save.

The next step is mapping. Return to the Profile Editor screen, and click on the Mappings tab.

The window below will appear.

Fill in the top field with appuser.rbzgroups. Click the arrow to the right of the field, and select the first option.

At the bottom of the window, click Save Mappings, then click Apply updates now.

4. Assign the application to users

Create user groups for two possible access levels: Admin and Read-Only access.

On the Okta menu on the left side of the screen:

1. Under Directory, select Groups.

2. A Groups screen appears; go to Add Group. Add a group named reblazeadmin.

3. From the left-hand menu, under Applications, select Applications.

4. An Applications screen will appear. Click your app's name. The screen shown below will open.

5. In the Assignments tab, click the Assign dropdown and select Assign to Groups, as below.

The following window will open. Select reblazeadmin, and click Assign.

The following window will open. Fill in the field as below, then click Save and Go Back. This will bring you back to the previous window (above), where you click Done.

Next, back at the app window, select the Sign On tab. In the window that appears, scroll down until the SAML Signing Certificates section. On the right hand side, click View SAML setup instructions.

This leads to the How to Configure SAML 2.0 for {$APP_NAME} Application page. You will use the information here in the next step.

5. Complete Okta SSO setup in Reblaze

At this point, you must log into the Reblaze console. Go to your Reblaze Log In screen and complete all the fields, including the MFA PIN you will receive. Click Log In.

This will bring you to the Reblaze console.

1. From the menu on the left, under Settings select Account. Your Account page will open. Click the Single sign on configuration tab.

2. In the window that appears, select Enabled.

3. To obtain the URL for the Provider URL field, return to the Okta How to Configure SAML 2.0 for {$APP_NAME} Application page.

• Copy the url from the Identity Provider Single Sign-On URL, and paste it into the Reblaze Provider URL field.

• The following revisions must be made to the URL:

  • Now, add the suffix metadata to the end of the URL (after the segment ending: saml/).

4. Fill in the name of the Admin Group (i.e., reblazeadmin).

5. Fill in the URL for the IDP Issuer field. To obtain the URL:

6. Return to the How to Configure SAML 2.0 for {$APP_NAME} Application page.

7. Copy the URL from the Identity Provider Issuer field.

8. Paste it into the Reblaze IDP Issuer field.

9. Ignore the Audience URL and Assertion URL fields (they should be disabled automatically).

10. Click Save. This will restart the console service.

On the Reblaze Log In page there will now be an additional button: SSO Login. Click to log into the Reblaze console.

Setting up SSO through Microsoft Azure

1. Get started with Azure.

Go to this MS Azure page to sign in.

You will be redirected to the Default Directory page. From the side menu, select Enterprise applications.

2. Create the SSO app.

Choose + New Application , as shown below.

In the screen below, choose + Create your own application .

Then, from the drop-down that appears, give your app a name and choose Integrate any other application you don't find in the gallery (Non-gallery). Click Create.

3. Define SAML links.

On the next screen that appears, from the left menu, select Single sign-on, then choose SAML:

The screen below will appear. Click Edit in the first block (Basic SAML Configuration) on the left.

On the right, enter values for the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) fields:

• The Identifier (Entity ID) should be provided by the customer. It must be unique for the customer’s SSO applications. The best option is to use something like: customer_domain.com?sso=123. Note that this should not contain the "https://" prefix. Also note that this value will be entered into the IDP Issuer field in the Reblaze console.

• The Reply URL (Assertion Consumer Service URL) should be: https://{REBLAZE_CONSOLE_DOMAIN}/sso/saml20/signon, where the {REBLAZE_CONSOLE_DOMAIN} can be obtained from the Reblaze Log In.

Click Save (at the top).

4. Get the Metadata XML link for later use.

Copy the App Federation Metadata URL and save it for later. This will be used as the Provider URL value in the Reblaze console.

5. Set up user.groups in Attributes & Claims.

In the second block of the screen below, click Edit.

The screen below will appear. Select + Add a group claim.

From the drop down that appears on the right:

• Choose All groups

• Choose Source attribute:Group ID

• Click Save

The following screen will appear.

6. Add a user as a member of the application.

Return to the Enterprise Application screen. From the left menu, click Users and Groups.

Click the + Add users/groups tab. Add users to the application by searching for a display name or through application registration.

7. Create an admin group and assign a user.

Go to Azure Active Directory → Groups, and create a group by clicking on the New Group tab.

Copy the Object ID and save it for later use. It will be the value for the Admin Group field in the Reblaze console.

Click on the hyperlinked group name (ReblazeAdmin); the screen below will appear. Select Members from the left menu.

Assign a user to the group:

8. Complete Azure SSO settings in Reblaze.

Go to the Reblaze console and sign in.

In the left menu, under Settings, select Account. When the screen below appears, click on the Single sign on configuration tab; set the Enabled checkbox.

For the remaining fields:

• Set Provider to Microsoft.

• Set the Provider URL to the value obtained in Step 4 (the App Federation Metadata URL).

• Set the Admin Group to the value obtained in Step 7 (the Object ID).

• Ignore the remaining fields. (IDP Issuer should have been set automatically, while Audience URL and Assertion URL should have been disabled.)

After the fields are filled in, click Save.