Authentication Using SAML

You can configure SAML authentication so that Tenable Identity Exposure users can use identity provider-initiated single sign-on (SSO) when logging into Tenable Identity Exposure.

Before you begin:

Check that you have the following for the identity provider (IDP):

  • SAML v2 only.

  • "Assertion encryption" enabled.

  • IDP groups that Tenable Identity Exposure uses to grant access to in the Tenable Identity Exposure web portal.

  • URL of the SAML server.

  • Trusted CA Certificate of the SAML server in PEM-encoded format, beginning with -----BEGIN CERTIFICATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----.

To configure SAML authentication:

  1. In Tenable Identity Exposure, click Systems > Configuration.

    The configuration pane appears.

  2. Under the Authentication section, click SAML Single Sign-on.

  3. Click the Enable SAML authentication toggle.

    A SAML information form appears.

    SAML Configuration

  4. Provide the following information:

    • In the URL of the SAML server box, type the full URL of the IDP's SAML server where Tenable Identity Exposure must connect.

    • In the Trusted Certificate Authorities box, paste the SAML server certificate from the SAML server.

  1. In the Tenable Identity Exposure certificate box, click Generate and Download. This generates a new self-signed certificate, updates the SAML configuration in the database, and returns a new certificate for you to download.

    Caution: When you click this button, it disrupts your SAML configuration because Tenable Identity Exposure expects the IDP to authenticate immediately with the most recently generated certificate while the IDP is still using a previous certificate, if it exists. If you generate a new Tenable Identity Exposure certificate, you must reconfigure your IDP to use the new certificate.

  2. Click the Activate automatically new user's account toggle to activate new user accounts after the first SAML login.

  3. Under Tenable Identity Exposure Endpoints, provide the following information:

    • URL of the Tenable Identity Exposure service provider

    • Assert endpoint of the Tenable Identity Exposure service provider

  1. Under the Default Profile and Roles section, click Add a SAML group to specify the groups allowed to authenticate.

    A SAML group information form appears.

  2. Provide the following information:

    • In the SAML group name box, type the name of the allowed group as it appears in the SAML server.

    • In the Default profile drop-down box, select the profile for the allowed group.

    • In the Default roles box, select the roles for the allowed group.

  1. If necessary, click on the icon to add a new allowed group.

  2. Click Save.

    After you set up SAML authentication, the SAML option appears in a tab on the login page.

For more information about security profiles and roles, see: