RestAPI APIKey for SAML authentication
If you have enabled SAML authentication mode for your CAST Security Dashboard/RestAPI deployment, some clients applications may not be able to authenticate. This is because SAML is designed as a single sign-on mode for browsers and therefore non-browser clients cannot use the protocol. In order to resolve this issue, CAST provides the ability to define an API Key in the CAST Security Dashboard/RestAPI that can be used to bypass SAML authentication.
How does this work?
- SAML authentication mode is enabled and configured for your CAST Security Dashboard/RestAPI deployment
- In addition, an API Key is defined in the security.properties file in your CAST Security Dashboard/RestAPI deployment
- The API Key is used instead of a password to authenticate
- Clients must use two specific HTTP headers to ensure that the API Key is used
- X-API-KEY: the API Key matching the key defined in the security.properties file
- X-API-USER: a defined user name to obtain a CAST Security Dashboard/RestAPI role and data authorization
- When an API Key is used to bypass SAML mode, the user will be automatically granted the "ADMIN" role even if this role has not explicitly been granted to the user in question.
You can find out more about this in CAST Dashboard Package - in RestAPI authentication using an API key.
GUI updates for Quality Standards and custom tags
It is now possible to:
- add one or more custom tiles to the dashboard that will display the number of violations (critical/non-critical violations according to the filter enabled) under a specific Quality Standards tag or custom tag manually injected)
- configure a list of tags (Quality Standards tag or custom tag manually injected) that can be displayed in a drop down filter in the Risk Investigation view.
- type: tile type has to be SecurityTile
- business: must always specify the metric 60016
- rule: the Quality Standards or custom tag you wish to view
- title: Title of the tile
- id: the Quality Standards or custom tag you wish to view
- description: a free text field to describe what the tile shows (not shown in the dashboard)
- color: tile color
- other parameters for sizing and positioning of the tile - see Tile see Tile Sizing and Positioning
This example will display a tile showing the number of violations tagged with a custom injected tag called CUSTOM-TAG:
It is now possible to configure a tile to display Background Facts that you have manually configured and uploaded during the snapshot generation (see Background Facts and Business Value Metric upload). The tile can display information about one metric that you have defined in the uploaded Background Facts file. See CAST Dashboard Package - See Engineering Dashboard tile management for more information about configuring the tile.
- when drilling down in the Risk Investigation view
- when drilling down in the Action Plan and Exclusion lists
- when clicking More Violation Paths for security based rules
To enable the role, see Configuring user User roles. When enabled, a message is displayed in the Dashboard as follows:
- Priority - available options are the same as those provided when adding a violation to the Action Plan, with the addition of All tags. These tags are defined in the ced.json file under the "tag" item - see CAST Dashboard Package - see Engineering Dashboard json configuration options.
- All tags