MobSF now supports SSO using SAML2, starting with version 4.0.1.
There are three user roles:
Admin: This is the primary administrator account created during the initial setup. This role can manage users with other roles.Maintainer: This role has permission to scan, suppress, and delete.Viewer: This role is read-only and can only view the scan results.
For SSO integration, we only support Maintainer and Viewer roles.
!> When SSO is enabled, password authentication and Admin role is turned off by default. To allow password login or admin account, set the environment variable MOBSF_SP_ALLOW_PASSWORD to 1 before running MobSF.
The section covers how you can set up MobSF with Okta for SSO.
To setup Okta SSO, you need the Assertion Consumer Service URL from MobSF
- Assertion Consumer Service (ACS) URL - This is where Okta sends the SAML assertion via HTTP POST. The ACS URL is
<http/https>://<mobsf_host>:<mobsf_port>/sso/acs/. For example, if you have MobSF running in your local environment, the ACS URL will behttp://localhost:8000/sso/acs/
To enable Okta SSO in MobSF, you need the Metadata URL from Okta.
- Metadata URL - This Okta URL contains metadata information required by MobSF, such as the entity ID, X509 Certificate, and SSO URL.
- Log in to your Okta Admin account.
- Under Applications, click on Create App Integration.
- Choose SAML 2.0 and click Next.
- In the General Settings, configure the following:
- App Name:
MobSF - App logo: Use the MobSF Logo
- App Name:
- In the next Configure SAML tab, configure the following:
- Single sign-on URL:
<MobSF ACS URL>- Check the box
Use this for Recipient URL and Destination URL
- Check the box
- Audience URI (SP Entity ID):
<MobSF ACS URL> - Name ID format:
EmailAddress - Application username:
Email - Update application username on:
Create and Update
- Single sign-on URL:
- Under the Attribute Statements (optional) section, create a new attribute statement to send the user email to MobSF.
- Name:
email - Name format:
Unspecified - Value:
user.email
- Name:
- Under the Group Attribute Statements (optional) section, create a new attribute statement to send appropriate roles to MobSF.
- Name:
role - Name format:
Unspecified - Filter:
Matches Regex,.*
- Name:
-
In the next Feedback screen, tick the
This is an internal app that we have createdoption and click Finish to create the MobSF Okta integration. -
You must create at least two Okta groups for the MobSF roles
MaintainerandViewer. The group name should contain the stringmaintainerin it to be associated with theMaintainerrole, and any other group name will be assigned to the Read-OnlyViewerrole. You can add corresponding users to each group. -
Go to the Assignment tab of the MobSF app and assign the groups corresponding to
MaintainerandViewerroles.
- Now Go to the Sign On tab of the created app and copy the
Metadata URL.
-
After you have created the Okta MobSF app integration, Set the environment variable
MOBSF_IDP_METADATA_URLto the OktaMetadata URL. -
Run MobSF, and now SSO with Okta is enabled.
When running MobSF behind a reverse proxy such as Nginx, ensure that the actual domain name reaches MobSF by setting headers such as X-Forwarded-Host, X-Forwarded-Port and
X-Forwarded-For.
Example Nginx settings
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
....
}
Alternatively, you can directly set the hostname using the environment variable MOBSF_SP_HOST. Example: MOBSF_SP_HOST=https://mobsf.yourdomain.com
Errors such as Invalid dict settings: sp_acs_url_invalid is an indication that MobSF couldn't find the correct hostname.