Add a SAML Configuration

Required User Role: Administrator

You can manually enter the details for your SAML configuration or you can upload a metadata.xml file that you download from your identity provider (IdP).

Before you begin:

  • Follow the steps described in your IdP's documentation to set up a SAML application for Tenable MSSP on your IdP account. Your IdP requires an entity ID and a reply URL for Tenable MSSP to set up the SAML application:

    • Entity ID — TENABLE_IO_PLACEHOLDER.

    • ACS/Single Sign On URL — https://cloud.tenable.com/SAML/login/placeholder.com.

  • In your IdP account, download your metadata.xml file.

To configure the initial IDP setup in Okta:

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

  3. Click Create App Integration.

    The Create a new app integration window appears.

  4. Select the SAML 2.0 radio button.

  5. Click Next.

    The General Settings options appear.

  6. In the App name text box, type a name for your application.

  7. (Optional) To add a custom logo for the application, in the App logo section, upload a .png, .jpeg, or .gif file and click Apply.

  8. Click Next.

    The Configure SAML options appear.

  9. In the Single sign-on URL text box, type the following placeholder URL:

    https://cloud.tenable.com/saml/login/PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration. This link is case-sensitive.

  10. Select the Use this for Recipient URL and Destination URL check box.

  11. In the Audience URI (SP Identity ID) text box, type the following placeholder text:

    TENABLE_IO_PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration.

  12. Ensure the Default RelayState text box is blank.

  13. In the Name ID format drop-down, select Unspecified.

  14. In the Application username drop-down, select Email.

  15. In the Update application username on drop-down, select Create and update.

  16. Do not change any other configuration options.

  17. Click Next.

    The Feedback options appear.

  18. (Optional) Provide any feedback you want to include.

  19. Click Finish.

    Okta saves your application configuration.

  20. In the applications list, select the newly added application configuration.

    Application details appear.

  21. In your browser, paste the URL and save the resulting file as metadata.xml.

Note: Tenable does not currently support a SP-Initiated SAML flow. Because it must be initiated from the Identity Provider side, navigating directly to https://cloud.tenable.com does not allow SSO.

Important! All users must have an account configured in Tenable MSSP that matches their SSO login. You must ensure the SSO login matches the FULL Tenable account name (i.e., [email protected]).

To add a new SAML configuration:

  1. In the upper-left corner, click the Menu button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the SAML tile.

    The SAML page appears.

  4. In the action bar, click Create.

    The SAML Settings page appears.

  5. Do one of the following:

    1. In the first drop-down box, select Import XML.

      Note: Import XML is selected by default.

    2. The Type drop-down box specifies the type of identity provider you are using. Tenable MSSP supports SAML 2.0 (for example, Okta, OneLogin, etc.).
      This option is read-only.

    3. Under Import, click Add File.

      A file manager window appears.

    4. Select the metadata.xml file.

      The metadata.xml file is uploaded.

    1. In the first drop-down box, select Manual Entry.

      A SAML configuration form appears.

    2. Configure the settings described in the following table:

      Settings Description
      Enabled toggle

      A toggle in the upper-right corner that indicates whether the SAML configuration is enabled or disabled.

      By default, the Enable setting is set to Enabled. Click the toggle to disable SAML configuration.
      Type Specifies the type of identity provider you are using. Tenable MSSP supports SAML 2.0 (for example, Okta, OneLogin, etc.).
      This option is read-only.
      Description A description for the SAML configuration.
      IdP Entity ID

      The unique entity ID that your IdP provides.

      Note: If you want to configure multiple IdPs for a user account, create a new configuration for each identity provider with separate identity provider URLs, entity IDs, and signing certificates.
      IdP URL The SAML URL for your IdP.
      Certificate

      Your IdP security certificate or certificates.

      Note: Security certificates are found in a metadata.xml file that your identity provider provides. You can copy the content of the file and paste it in the Certificate box.
      User Auto Provisioning Enabled

      A toggle that indicates whether automatic user account creation is enabled or disabled.

      IdP Assigns User Role at Provisioning To assign a user role during provisioning, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.

      To obtain the UUID for a user role, go to Settings > Access Control > Roles.
      IdP Resets User Role at Each Login

      To assign a role each time a user logs in, overwriting the current role with the one chosen in your IdP, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.

      To obtain the UUID for a user role, go to Settings > Access Control > Roles.

  6. Click Save.

    Tenable MSSP saves your SAML configuration.

What to do next:

  • Download the metadata.xml from Tenable MSSP using the Download SP Metadata option in the SAML Configurations table.

  • Upload this file to the SAML application you created for Tenable MSSP with your SAML provider.

Tip: If you are having trouble configuring SAML, Tenable recommends trying one of the various third-party SAML debugging tools available online. You can also reach out to Tenable Support for further troubleshooting assistance.