401 when trying to access SecOps - Chronicle service Admin

FWIW: I would recommend not showing the api root of your SOAR instance (the part before siemplify.soar.com is unique.

What tools are you trying to access? Are you using GAIA or BYOID? Is anyone able to access the tenant?

You may need Chronicle API Admin and Chronicle SOAR admin if you are unable to access the UI.

If you're using BYOID:

• Check that you are passing all required attributes (especially groups) in your SAML request
• Those groups need to be in SOAR Settings IDP Group Mappings
  https://cloud.google.com/chronicle/docs/soar/admin-tasks/saml-soar-only/idp-group-mapping-soar-only

Do you see a message in the corner of the screen with more detail on the 401?

For example, one error I have seen in the past is "401: Cannot Authenticate user, because user does not have access to the GCP project"

If that's the issue, make sure the user/group has "chronicle.instances.get" and "resourcemanager.projects.get" IAM permissions.

This usually happens if the group trying to login has not been updated in the IDP group mapping section of the SOAR settings. 

Please use an admin account of someone who can login and go to Settings -> SOAR settings -> Advanced -> IDP group mapping, and add the groups that you've created on the IDP. 

The other thing to mention is that you should assign the Chronicle API admin role instead of the Chronicle Service Admin role. 

Hi, 

Thanks for your response. The admin roles now allow users access, however I do not want to give admin permissions to everyone who needs access. Isn't there a different role that still allows access to the UI without being an admin?

Thanks

See the following doc - https://cloud.google.com/chronicle/docs/onboard/configure-feature-access#overview-perm-role

After you granted the API Admin and SOAR Admin roles, people gained access again?

Hi @cmorris I'm getting this EXACT error message (displayed on the lower left of the login screen). I can't find any permissions in IAM for chronicle.instances.get. I have assigned these permissions to my account and I still get the same error:

• Advisory Notifications Viewer
• Chronicle API Admin
• Chronicle API Federation Admin
• Chronicle API Global Data Access
• Chronicle Service Admin
• Chronicle SOAR Admin
• Editor
• Organization Administrator
• Owner
• Project IAM Admin

What else needs to be done?

Hey @jsy ,

This would be a symptom of incorrect IDP group mapping attributes. 

Please follow https://cloud.google.com/iam/docs/troubleshooting-workforce-identity-federation#inspect-idp-response and check the SAML response for the group attribute to see if it matches the principalset in IAM. 

So what I've done now is:

I've gone ahead and added `principalSet://iam.googleapis.com/locations/global/workforcePools/<WORKFORCE_POOL_ID>/group/<WORKFORCE_PROVIDER_ID>` under the GCP project with Chronicle and given it Chronicle API Admin rights.

In my provider details, I have mapped

google.subject to asesertion.email (returned as an email address by Okta)

google.groups to assertion.groups (this is returned as an array by Okta)

so I momentarily saw this when I tried to login: "You do not have sufficient permissions to access the resource or perform the operation. Missing permissions include: chronicle.preferenceSets.get. Contact your administrator to grant permissions".

Thereafter all attempts at logging on throws me a "An error occurred during Authentication. Please try again later." visible on the lower left of the screen.

Hi @jsy , the WORKFORCE_PROVIDER_ID is not required here. you will have to add the group name or group id ( whatever is returned in assertion.groups ). 

Example of a principalset is : `

principalSet://iam.googleapis.com/locations/global/workforcePools/WORKFORCE_POOL_ID/group/GROUP_ID

 https://cloud.google.com/chronicle/docs/onboard/configure-feature-access#custom-role