Appendix — SAML Integration for Microsoft Entra ID

OT Security supports integration with Microsoft Entra ID via SAML protocol. This enables Azure users who were assigned to OT Security to log in to OT Security via SSO. You can use group mapping to assign roles in OT Security according to the groups to which users are assigned in Azure.

This section explains the complete flow for setting up a Single Sign-on (SSO) integration for OT Security with Microsoft Entra ID. The configuration involves setting up the integration by creating a OT Security application in Microsoft Entra ID, entering information about your created OT Security application and uploading your identity provider’s Certificate to the OT Security SAML page, and then mapping groups from your identity provider to User Groups in OT Security.

To set up the configuration, you need to be logged in as an admin user in both Microsoft Entra ID and OT Security.

Step 1 - Create the Tenable Application in Microsoft Entra ID

To create the Tenable application in Microsoft Entra ID:

  1. In Microsoft Entra ID, go to Microsoft Entra ID > Enterprise Applications, click + New application to display the Browse Microsoft Entra ID Gallery, and click + Create your own application.

    The Create your own application side panel appears.

  2. In the What’s the name of your app? field, enter a name for the application (for example Tenable_OT) and select Integrate any other application you don’t find in the gallery (Non-gallery) (default selected), then click Create to add the application.

Step 2- Initial Configuration

This step is the initial configuration of the OT Security application in Azure, consisting of creating temporary values for Basic SAML Configuration values Identifier and Reply URL, in order to enable download of the required Certificate.

Note: Only fields specified in this procedure must be configured. Other fields may be left with their default values.

To do initial configuration:

  1. In the Microsoft Entra ID navigation menu, click Single sign-on, then selected SAML as the single sign-on method.

    The SAML-based Sign-on screen appears.

  2. In section 1 – Basic SAML Configuration, click on Edit .

    The Basic SAML Configuration side panel appears.

  3. In the Identifier (Entity ID) field, enter a temporary ID for the Tenable application (for example tenable_ot).

  4. In the Reply URL (Assertion Consumer Service URL) field, enter a valid URL (for example https://OT Security).

    Note: Both the Identifier and Reply URL is changed later in the configuration process.

  5. Click Save to save the temporary values and close the Basic SAML Configuration side panel.

  6. In section 4 - Set up, click the copy icon to copy the Microsoft Entra ID Identifier.

  7. Switch to the OT Security console, and go to Users and Roles > SAML.

  8. Click Configure to display the Configure SAML side panel, and paste the copied value into the IDP ID field.

  9. In the Azure console, click the icon to copy the Login URL.

  10. Return to the OT Security console and paste the copied value into the IDP URL field.

  11. In the Azure console, in section 3 - SAML Certificates, for Certificate (Base64), click Download.

  12. Return to the OT Security console, and under Certificate Data, click Browse, then navigate to the security certificate file and select it.

  13. In the Azure console, in section 2 – Attributes & Claims, click Edit.

  14. Under Additional claims, select and copy the Claim name URL corresponding to the Value user.userprincipalname.

  15. Return to the Tenable console and paste this URL in the Username Attribute field.

  16. In the Azure console, click on + Add a group claim to display the Group Claims side panel, and under Which groups associated with the user should be returned in the claim? Choose All Groups and click Save.

    Note: If you have groups setting enabled in Microsoft Azure, you may choose Groups assigned to the application instead of All Groups, and Azure provides only the user groups that are assigned to the application.

  17. Under Additional claims, highlight and copy the Claim name URL associated with the Value user.groups [All].

  18. Return to the Tenable console and paste the copied URL in the Groups Attribute field.

  19. If you would like to add a description of the SAML configuration, enter it in the Description field.

Step 3 - Map Azure Users to Tenable Groups

In this step, Microsoft Entra ID users are assigned to the OT Security application. The permissions granted to each user are designated by mapping between the Azure groups to which they are assigned and a pre-defined OT Security User Group, which has an associated role and set of permissions. The OT Security pre-defined User Groups are: Administrators, Read-Only User, Security Analysts, Security Managers, Site Operators, and Supervisors. For more information, see Users and Roles. Each Azure user must be assigned to at least one group that is mapped to a OT Security User Group.

Note: Admin users logged in via SAML are considered Admin (External) users, and are not granted all the privileges of local Admins. Users assigned to multiple User Groups are granted the highest possible permissions from among their groups.

To map Azure users to OT Security:

  1. In Microsoft Azure, navigate to the Users and groups page and click on + Add user/group.

  2. In the Add Assignment screen, under Users, click None Selected.

    The Users side panel appears.

    Note: If you have groups setting enabled in Microsoft Azure and have previously selected Groups assigned to the application instead of All Groups, you may choose to assign groups instead of individual users.

  3. Search for and click on all desired users, then click Select, then click Assign to assign them to the application.

    The Users and groups page appears.

  4. Click on the Display Name of a user (or group) to display that user’s (or group’s) Profile.

  5. In the Profile screen, in the left-side navigation bar, select Groups to display the Groups screen.

  6. Under Object Id, highlight and copy the value for the group that will be mapped to Tenable.

  7. Return to the OT Security console and paste the copied value in the desired Group Object ID field (for example Administrators Group Object ID).

  8. Repeat steps 1-7 for each group that you would like to map to a distinct User Group in OT Security.

  9. Click Save to save and close the side panel.

    The SAML screen appears in the OT Security console with the configured information.

Step 4 - Finalizing the Configuration in Azure

To finalize the configuration in Azure:

  1. In the OT Security SAML screen, under Entity ID, click the copy icon.

  2. Switch to the Azure screen and click Single sign-on in the left-side navigation menu to open the SAML-based Sign-on page.

  3. In section 1 - Basic SAML Configuration, click Edit, and paste in the copied value in the Identifier (Entity ID) field, replacing the temporary value you previously entered.

  4. Return to the OT Security SAML screen, and under URL, click the copy icon.

  5. In the Azure console, and In the Basic SAML Configuration side panel, under Reply URL (Assertion Consumer Service URL), paste the copied URL, replacing the temporary URL you previously entered.

  6. Click Save to save the configuration, and close the side panel.

    The configuration is complete, and the connection appears on the Azure Enterprise applications screen.

Step 5 – Activate the Integration

To activate the SAML integration, OT Security must be restarted. The user may restart the system immediately or choose to restart it later.

To activate the integration:

  1. In the OT Security console, on the SAML screen, click to toggle the SAML single sign on login button ON.

    The System Restart notification window appears.

  2. Click Restart Now to restart the system and apply the SAML configuration immediately, or click Restart Later to delay the application of the SAML configuration the next time the system is restarted. If you choose to restart later, the following banner is shown until the restart is done:

Signing in Using SSO

Upon restarting, the OT Security login window has a new Sign in via SSO link underneath the Log in button. Azure users who were assigned to OT Security can log in to OT Security using their Azure account.

To sign in using SSO:

  1. On the OT Security login screen, click the Sign in via SSO link.

    If you are already logged in to Azure, you are taken directly to the OT Security console, otherwise you are redirected to the Azure sign-in page.

    Users with more than one account are redirected to the Microsoft Pick an account page, where they can select the desired account for login.