Tenable FedRAMP Moderate: Okta IdP

One of the most common IdPs used to configure SAML with Tenable FedRAMP Moderate is Okta. The following steps guide you through the configuration process from start to finish.

Important: These configuration steps apply to the following Tenable FedRAMP Moderate applications:

  • Tenable Vulnerability Management FedRAMP Moderate

  • Tenable Web App Scanning FedRAMP Moderate

Manual configuration requires the following:

  • Login URL: A custom URL provided by Tenable in the following format:

    https://fedcloud.tenable.com/saml/login/PLACEHOLDER

  • Audience URI (SP Entity ID): A custom ID provided by Tenable in the following format:

    TENABLE_IO_PLACEHOLDER

    If the customer requires more than one container, Tenable requires different SP Entity IDs for each container.

  • A certificate within the SAML metadata object that matches the data originally sent to Tenable.

    Note: Tenable does not support the use of multiple certificates and only extracts the first certificate from the metadata object. If the object includes multiple certificates, you must specify which certificate to use if it is not the first one listed.

Okta: Create Initial Application Integration

To create an application integration in Okta:

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

  3. Click Create App Integration.

    The Create a new app integration window appears.

  4. Select the SAML 2.0 radio button.

  5. Click Next.

    The General Settings options appear.

  6. In the App name text box, type a name for your application.

  7. (Optional) To add a custom logo for the application, in the App logo section, upload a .png, .jpeg, or .gif file and click Apply.

  8. Click Next.

    The Configure SAML options appear.

  9. In the Single sign-on URL text box, type the following placeholder URL:

    https://fedcloud.tenable.com/saml/login/PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration. This link is case-sensitive.

  10. Select the Use this for Recipient URL and Destination URL checkbox.

  11. In the Audience URI (SP Identity ID) text box, type the following placeholder text:

    TENABLE_IO_PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration.

  12. Ensure the Default RelayState text box is blank.

  13. In the Name ID format drop-down, select Unspecified.

  14. In the Application username drop-down, select Email.

  15. In the Update application username on drop-down, select Create and update.

  16. Do not change any other configuration options.

  17. Click Next.

    The Feedback options appear.

  18. (Optional) Provide any feedback you want to include.

  19. Click Finish.

    Okta saves your application configuration.

  20. In the applications list, select the newly added application configuration.

    Application details appear.

  21. In the Actions drop-down menu, click View IdP Metadata.

    Okta redirects you to another page, where you can view the metadata file.

  22. In your browser, save the resulting file as metadata.xml.

    Your browser downloads the metadata.xml file.

Tenable FedRAMP Moderate SAML Configuration

Once you have downloaded your medata.xml file, you can use it to configure SAML in your Tenable FedRAMP Moderate application.

To set up the Tenable FedRAMP Moderate SAML configuration:

  1. In your browser, navigate to your Tenable FedRAMP Moderate application (TVM FedRAMP Moderate or Tenable WAS FedRAMP Moderate).

  2. In the upper-left corner, click the button.

    The left navigation plane appears.

  3. In the left navigation plane, click Settings.

    The Settings page appears.

  4. Click the SAML tile.

    The SAML page appears.

  5. In the action bar, click Create.

    The SAML Settings page appears.

  6. Do one of the following:

    1. In the first drop-down box, select Import XML.

      Note: Import XML is selected by default.

    2. The Type drop-down box specifies the type of identity provider you are using. Tenable FedRAMP Moderate supports SAML 2.0 (for example, Okta, OneLogin, etc.).
      This option is read-only.

    3. Under Import, click Add File.

      A file manager window appears.

    4. Select the metadata.xml file.

      The metadata.xml file is uploaded.

    1. In the first drop-down box, select Manual Entry.

      A SAML configuration form appears.

    2. Configure the settings described in the following table:

      Settings Description
      Enabled toggle

      A toggle in the upper-right corner that indicates whether the SAML configuration is enabled or disabled.

      By default, the Enable setting is set to Enabled. Click the toggle to disable SAML configuration.
      Type Specifies the type of identity provider you are using. Tenable FedRAMP Moderate supports SAML 2.0 (for example, Okta, OneLogin, etc.).
      This option is read-only.
      Description A description for the SAML configuration.
      IdP Entity ID

      The unique entity ID that your IdP provides.

      Note: If you want to configure multiple IdPs for a user account, create a new configuration for each identity provider with separate identity provider URLs, entity IDs, and signing certificates.
      IdP URL The SAML URL for your IdP.
      Certificate

      Your IdP security certificate or certificates.

      Note: Security certificates are found in a metadata.xml file that your identity provider provides. You can copy the content of the file and paste it in the Certificate box.
      IdP Assigns User Role at Provisioning To assign a user role during provisioning, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.

      To obtain the UUID for a user role, go to Settings > Access Control > Roles.

      Note: This option only appears during intial configuration if the setup is manual. Otherwise, you must edit the configuration after initial setup to enable this option.
      IdP Resets User Role at Each Login

      To assign a role each time a user logs in, overwriting the current role with the one chosen in your IdP, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.

      To obtain the UUID for a user role, go to Settings > Access Control > Roles.

      Note: This option only appears during intial configuration if the setup is manual. Otherwise, you must edit the configuration after initial setup to enable this option.
      Group Management Enabled Enable this toggle to allow the Tenable One SAML configuration to manage user groups. You must enable this toggle for the Managed by SAML option to function successfully.

  7. Click Save.

    Tenable FedRAMP Moderate saves your SAML configuration and you return to the SAML page.

  8. In the row for the SAML configuration you just created, click the button.

    An actions menu appears.

  9. Click Download SAML SP metadata.

    Your browser downloads the metadata.xml file. You can now use this file for final configuration in your IdP.

Optional: Configure One or More User Groups to Automatically Add a User upon SAML Login

User groups allow you to manage user permissions for various resources in Tenable FedRAMP Moderate. When you assign users to a group, the users inherit the permissions assigned to the group. When you enable the Managed by SAML option for a user group, Tenable FedRAMP Moderate allows you to automatically add any user that logs in via SAML to that group.

Important: For this option to work successfully, you must also configure the related group claim within your IdP. View the final IdP configuration steps for more information.

Before you begin:

Ensure you've enabled the Group Management Enabled toggle when configuring the SAML settings within Tenable One.

To enable the Managed by SAML option:

  1. In Tenable FedRAMP Moderate, in the upper-left corner, click the button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears.

  4. Click the Groups tab.

    The Groups page appears.

  5. In the user groups table, click the user group to which you want to automatically add your SAML users.

    The Edit User Group page appears.

  6. In the General section, select the Managed by SAML check-box.

  7. Click Save. Tenable FedRAMP Moderate saves your changes. Once you configure the related claim within your IdP, any time a user logs in via your SAML configuration, Tenable FedRAMP Moderate automatically adds them to the specified user group.

Okta: Configure Final Application Integration and Upload Metadata

Now that you have downloaded the completed metadata file from your Tenable FedRAMP Moderate application, you can use that file to create a permanent Tenable application in Okta.

  1. In your browser, navigate to the Okta Admin portal.

  2. In the left navigation menu, click Applications > Applications.

    The Applications page appears.

  3. Click Browse App Catalog.

  4. Select the application you previously created.

  5. In the SAML Settings section, click Edit.

    The Edit SAML Integration window appears.

  6. Click Next.

    The Configure SAML options appear.

  7. In the Single sign-on URL text box, type the URL listed in the metadata.xml file that you downloaded from your Tenable FedRAMP Moderate application.

    Tip: This URL is in the following format: https://fedcloud.tenable.com/saml/login/PLACEHOLDER.

  8. In the Audience URI (SP Identity ID) text box, type ID listed in the metadata.xml file that you downloaded from your Tenable FedRAMP Moderate application.

    Tip: This ID is in the following format: TENABLE_IO_PLACEHOLDER.

  9. Click Save.

    Okta saves your changes to the application.

Optional: Finalize Configuration for Managed by SAML Group Option

If you configured the Managed by SAML option to automatically add any user that logs in via SAML to a user group, then you must configure a related group claim within the Okta IdP.

To configure the IdP group claim:

  1. In Okta, navigate to the Edit SAML Integration window for the application you created.

  2. In the Group Attribute Statements section, insert the following values:

    1. In the Name text box, type groups.

    2. In the Name format drop-down, select Basic.

    3. In the Filter boxes, select Matches regex and then type .*.

  3. Click Save. Any time a user logs in via your SAML configuration, Tenable FedRAMP Moderate automatically adds them to the specified user group in Tenable FedRAMP Moderate.

Assign the Okta Application to your Users

To assign the application to your users or groups:

  1. In the left navigation menu, click Applications > Applications.

  2. Next to your newly created application configuration, click the button.

  3. Assign the application to one or more users or groups:

    • Click Assign to Users.

    • Click Assign to Groups.

    An Assign window appears.

  4. Next to the user or group to which you want to assign the application, click Assign.

    A confirmation window appears.

  5. Click Save and Go Back.

  6. Repeat for each user or group to which you want to assign the application.

  7. Click Done.

    Okta saves your changes.

Pre-create Tenable FedRAMP Moderate Users

An administrator must create all users within the Tenable FedRAMP Moderate Application prior to their first login via SAML. If you do not complete this step for the user, they cannot log in to the Tenable FedRAMP Moderate FedCloud application using SAML.

To pre-create a user for use in your Tenable FedRAMP Moderate application:

  1. Using an administrator account, log in to your Tenable FedRAMP Moderate application (TVM FedRAMP Moderate or Tenable WAS FedRAMP Moderate).

  2. In the left navigation menu, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears.

  4. Create a user as described in the Tenable Vulnerability Management FedRAMP Moderate User Guide.

    Caution: The username for the user MUST match the user's email address provided within Okta.

  5. Configure roles, user permissions, and groups for the user as described in the Tenable Vulnerability Management FedRAMP Moderate User Guide.

  6. Edit the user and disable the following toggles:

    • API Key

    • Username/Password

    • Two-Factor Required

      Note: MFA can still be configured using your IdP to ensure maximum possible security.

  7. Save your changes to the user.

Additional Resources

For more information on Okta IdP configuration, see the following resources: