VMware Carbon Black Enterprise EDR is an advanced threat hunting and incident response solution delivering continuous visibility for top security operations centers (SOCs) and incident response (IR) teams.

Carbon Black EDR WebUI does not support integration with Active Directory or LDAP to authenticate administrators as well as usage of multifactor authentication. However, it supports SAML integration with identity providers. Without this integration we have to create local administrators manually. Below we will focus on integration of CB EDR with VMware Workspace ONE Access (formerly vIDM).

This integration has been verified with the following versions:

• Carbon Black EDR 7.2.0
• Workspace ONE Access 20.01

1. VMware Workspace ONE Access is deployed and operating.
2. Download Workspace ONE Access metadata.
   Go to Administration Console – Catalog – Web Apps – Settings – SAML Metadata – Identity Provider (IdP) metadata

1. Copy the metadata XML downloaded from the WorkSpace ONE Access and place it in the /etc/cb/sso directory on the Carbon Black EDR server host.
2. On the Carbon Black EDR server, navigate to /etc/cb/sso and:
   a. Copy /etc/cb/sso/sso.conf.example.adfs to /etc/cb/sso/sso.conf
   b. Copy /etc/cb/sso/attr_map.py.example.adfs to /etc/cb/sso/attr_map.py
3. Edit attr_map.py file and change the following line:

if any( 'Administrators' in role for role in roles ):

to

if any( '<AD Group Name for CarbonBlack Administrators' in role for role in roles ):

AD Group Name must match a group name in Active Directory including special characters if any and not followed by domain (e.g. CarbonBlack Admins).

This script creates a user account and assign rights if an appropriate group name is passed in the SAML attributes.

4. Edit /etc/cb/sso/sso.conf file and change the following lines:
   

a. Change login label:

"login_ui_sso_label": "Login with FakeIpd",

to

"login_ui_sso_label": "Login with WorkSpace ONE Access",

b. Update the service / sp / idp section with WorkSpace ONE Access FQDN:

# EntityId of the IDP
       "https://fakeipd.adfs.com": {

to

# EntityId of the IDP
"https://<WorkSpace ONE Access FQDN>": {

c. Update the single_sign_on_service and single_logout_service sections with the appropriate Workspace ONE Access FQDN:

"single_sign_on_service": {
              "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://fakeipd.adfs.com/adfs/ls/"
            },

            "single_logout_service": {
              "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://fakeipd.adfs.com/adfs/ls/?wa=wsignout1.0"

to

"single_sign_on_service": {
              "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://<Workspace ONE Access FQDN>/SAAS/auth/login"
            },

            "single_logout_service": {
              "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect": "https://<Workspace ONE Access FQDN>/SAAS/auth/logout"

d. In the endpoints section, update the assertion_consumer_service and single_logout_service fields with the appropriate FQDN of CarbonBlack EDR:

"endpoints": {
          "assertion_consumer_service": {
              "https://<FQDN>/api/saml/assertion": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
          },
          "single_logout_service": {
              "https://<FQDN>/api/saml/logout": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

e. Update the entityid field with the appropriate FQDN of the CarbonBlack EDR server:

"entityid": "https://<FQDN>/",

f. Specify the file path to the location of the metadata XML from the WorkSpace One (copied on step 1):

"metadata": {
      "local": [
        "/etc/cb/sso/FederationMetadata.xml"

to

"metadata": {
      "local": [
        "/etc/cb/sso/idp.xml"

5. Open the /etc/cb/cb.conf file and uncomment the SSOConfig property so that it contains the full path to the SSO configuration file created in the previous steps.
6. Generate the Carbon Black EDR server’s SSO service provider metadata XML file by issuing this command:
   /usr/share/cb/cbssl sso --make-metadata > /etc/cb/sso/cbrmetadata.xml

7. Copy the file, it will be uploaded later to Workspace ONE Access.
8. Restart the Carbon Black EDR server by issuing this command:
   sudo service cb-enterprise restart

1. Connect to Workspace ONE Access Administration Console and go to Catalog-New. Provide a name for new application.
2. On the Configuration page paste the content of the cbrmetadata.xml file to URL/XML field.
3. Save and Assign the application to necessary user groups.
4. Edit the created application and go to Configuration tab. Change the following:
   a. Username Format – Transient
   b. Sign Response – Yes
   c. Sign Assertion – Yes

d. Change Custom Attribute Mapping to the following

Name	Format	Namespace	Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname	Basic	[xmlns:ns0=”urn:oasis:names:tc:SAML:2.0:metadata”]	${user.firstName}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname	Basic	[xmlns:ns0=”urn:oasis:names:tc:SAML:2.0:metadata”]	${user.lastName}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	Basic	[xmlns:ns0=”urn:oasis:names:tc:SAML:2.0:metadata”]	${user.email}
http://schemas.microsoft.com/ws/2008/06/identity/claims/role	Basic	[xmlns:ns0=”urn:oasis:names:tc:SAML:2.0:metadata”]	${groupNames}

Open Carbon Black Enterprise EDR WebGUI and instead of providing local credentials click Login with Workspace ONE Access. It will either redirect you to login page of WS1A or open Carbon Black EDR console if you were previously authenticated within WS1A.