Configure SAML Integration for Tenable One

Configure SAML on your Tenable One instance to access OT Security using SSO.

The OT Exposure tile on the Tenable One Workspace page is disabled by default. To enable the OT Exposure tile, you must first configure SAML for Tenable One.

Before you Begin

• Make sure you have a valid Tenable One and OT Security license.

To configure SAML for Tenable OT Security:

1. Retrieve SAML Identity Provider (IDP) details and group object IDs from Tenable One:

   1. In a supported browser, log into https://cloud.tenable.com to access the Workspace page.

   2. In the upper-right corner, click the button.

      The Settings page appears.

   3. Click the SAML tile.

      The SAML page appears.

   4. Click the SSO On-Prem tab.

      The SSO On-Prem page appears with the SSO configuration for Tenable OT Security.

      

   5. Hover over and click the Tenable OT Security row.

      The IDP details panel appears on the right.

      

   6. Use the button to copy these details.

      • IDP Entity ID

      • IDP URL

      • IDP Certificate

   7. Click Download File to download the certificate to your local system.

   8. Retrieve the mapping data for groups. To find the group object ID information, go to Settings > Access Control > Groups and find or add the relevant groups.

      For example: In Tenable One, create two groups: OT Administrators and OT Read-Only. To map them to the user roles in OT Security, add the group names to the respective Administrators Group Object ID and Read-Only Users Group Object ID fields in the OT Security SAML page.

      

2. Configure SAML in OT Security:

   1. Log into OT Security.

   2. Go to Local Settings > User Management > SAML.

      The SAML page appears.

   3. Click Configure or Edit if you are editing an existing configuration.

      The Configure SAML page appears.

   4. Provide the following details that you copied from Tenable One SAML > SSO On-Prem page:

      1. In the IDP ID box, paste the IDP Entity ID copied from the Tenable One SAML page.

      2. In the IDP URL box, type the IDP URL copied from the Tenable One SAML page.

      3. In the Certificate Data box, browse to the location where you downloaded the certificate file and upload it.

      4. In the Username Attribute box, type: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.

      5. In the Group Attribute box, type groups (it must be in lower case and not Groups).

      6. Provide the group object ID information that you retrieved from Tenable One.

         For example: In step h, you created two groups in Tenable One: OT Administrators and OT Read-Only. Add these group names to the corresponding Administrators Group Object ID and Read-Only Users Group Object ID fields in the Configure SAML page.

         

      7. Click Save.

         OT Security saves the configuration and displays the following information:

         

         Important: Do not reboot after saving the configuration. Only reboot after you complete the configuration steps on both OT Security and Tenable One.

      8. On the SAML page, copy the following values. You need these values for the final configuration on Tenable One.

         • Entity ID

         • URL

           

3. Complete the final configuration on Tenable One:

   1. In Tenable One, navigate to the Settings > SAML> SSO On-Prem page.

      The SSO On-Prem page appears with the SSO configuration for Tenable OT Security.

   2. Click the OT Security row.

      The OT Security configuration details panel appears.

   3. Provide the Auth Callback URL and SP Entity ID details copied from the OT Security SAML page.

      

   4. Click Save.

      OT Security saves the SAML configuration.

4. Click the SAML single sign-on log in toggle to enable SAML.

   OT Security prompts you to restart.

5. Restart OT Security.

   Tenable enables the OT Exposure tile on the Workspace page. Click the OT Exposure tile and access OT Security.