Tenable Security Center: Microsoft ADFS IdP

One of the most common IdPs used to configure SAML with Tenable Security Center is Microsoft ADFS. The following steps guide you through the configuration process from start to finish.

Manual configuration requires the following:

  • Login URL: A custom URL in the following format:

    https://PLACEHOLDER/saml/module.php/saml/sp/saml2-acs.php/1

    Where PLACEHOLDER is the IP address or hostname for your Tenable Security Center instance.

  • Audience URI (SP Entity ID): A custom ID in the following format:

    https://tenable.sc

  • A certificate within the SAML metadata object that matches the data originally sent to Tenable.

    Note:Tenable does not support the use of multiple certificates and only extracts the first certificate from the metadata object. If the object includes multiple certificates, you must specify which certificate to use if it is not the first one listed.

ADFS: Download your SAML Metadata File

To download your SAML Metadata.xml file:

  1. Navigate to your ADFS console.

    Note: Your login URL varies based on the DNS FQDN you configured. For example, in this case, the ADFS SSO Portal login would be: https://adfs.example.com/adfs/ls/idpinitiatedsignon.

  2. Type your login credentials and click Sign In.

    You log in to the console.

  3. In the left menu, navigate to Service > Endpoints.

    The Endpoints page appears.

  4. In the Metadata section, copy the URL in the Federation Metadata row.

  5. In your browser, type https://localhost/ and then paste the metadata URL you copied.

  6. On your keyboard, press Enter.

    Your browser downloads the metadata file.

Enable Tenable Security Center SAML

Once you have downloaded your medata.xml file, you can use it to configure SAML in Tenable Security Center. You can configure this directly in the Tenable Security Center application.

To set up the Tenable Security Center SAML configuration:

  1. In your browser, navigate to Tenable Security Center.

  2. In the left navigation, click System > Configuration.

    The Configuration page appears.

  3. Click the SAML button.

    The SAML Configuration page appears.

  4. In the General section, confirm the SAML toggle is enabled.

  5. In the Source drop-down box, select Import.

    The page updates to display additional options.

  6. In the Type drop-down box, select SAML 2.0.

  7. Click Choose File and browse to the SAML metadata file from your identity provider.

    Note: The metadata file must match the Type you selected. If Tenable Security Center rejects the file, contact your identity provider for assistance.

  8. Click Submit.

    Tenable Security Center saves your configuration.

  9. For the configuration you just created, click Download SAML Configuration XML.

    Your browser downloads the metadata.xml file. You can now use this file for final configuration in your IdP.

ADFS: Configure Final Application, Upload Metadata, and Configure Relying Party Trusts

Now that you have downloaded the completed metadata file, you can upload that file to your Tenable application in the ADFS console.

  1. Open the MMC.exe console.

  2. On the right side of the console, in the Actions section, click Add Relying Party Trust.

    The Add Relying Party Trust wizard appears.

  3. In the wizard, select the Claims aware radio button.

  4. Click Start.

  5. On the Select Data Source page, select the Import data about the relying party from a file radio button.

  6. Click the Browse button.

  7. In your file manager, select the Service Provider metadata.xml file that you downloaded from Tenable Security Center.

    Microsoft ADFS imports the metadata from the file.

  8. Click Next.

  9. On the Specify Display Name page, type a Display Name and any Notes you want to include.

  10. Click Next.

  11. On the Choose Access Control Policy page, select Permit Everyone

  12. Click Next.

  13. On the Configure Identifiers page, on the Identifiers tab, ensure the Relying party trust identifier lists the following:

    https://tenable.sc

  14. Click Next.

  15. On the Ready to Add Trust page, review your configuration.

  16. Click Next.

  17. On the Finish page, select the Configure claims insurance policy for this application checkbox.

  18. Click Close.

    You return to the Relying Party Trusts folder.

  19. Right-click the trust you created and select Edit Claim Issuance Policy.

    The Edit Claims Issuance Policy window appears.

  20. Click Add Rule.

    The Transform Claim Rule wizard appears.

  21. Configure two rules:

      1. On the Select Rule Template page, in the Claim rule template drop-down, select Transform an Incoming Claim.

      2. Click Next.

      3. On the Configure Rule page, configure the following settings:

        • Claim rule name

        • Incoming claim type — select Email address or UPN.

        • Outgoing claim type — select Name ID

        • Outgoing name ID format — select Transient Identifier

        • Pass through all claim values radio button — select radio button

      4. Click Finish.

      1. On the Select Rule Template page, in the Claim rule template drop-down, select Send LDAP Attributes as Claims.

      2. Click Next.

      3. On the Configure Rule page, configure the following settings:

        • Claim rule name

        • Attribute store — Select Active Directory

        • LDAP Attribute — Select E-Mail Addresses.

        • Outgoing Claim Type, select E-Mail Addresses.

      4. Click Finish.

    You return to the Edit Claims Issuance Policy window.

  22. Click Apply.

  23. Click OK.

    Microsoft ADFS saves your changes, and your SAML configuration is ready for use.

Additional Resources

For more information on Microsoft ADFS IdP configuration, see the following resources: