Tenable Security Center: Okta IdP
One of the most common IdPs used to configure SAML with Tenable Security Center is Okta. The following steps guide you through the configuration process from start to finish.
Manual configuration requires the following:
-
Login URL: A custom URL in the following format:
https://PLACEHOLDER/saml/module.php/saml/sp/saml2-acs.php/1Where PLACEHOLDER is the IP address or hostname for your Tenable Security Center instance.
-
Audience URI (SP Entity ID): A custom ID in the following format:
https://tenable.sc -
A certificate within the SAML metadata object that matches the data originally sent to Tenable.
Note: Tenable does not support the use of multiple certificates and only extracts the first certificate from the metadata object. If the object includes multiple certificates, you must specify which certificate to use if it is not the first one listed.
Okta: Create Initial Application Integration
To create an application integration in Okta:
-
In your browser, navigate to the Okta Admin portal.
-
In the left navigation menu, click Applications > Applications.
-
Click Create App Integration.
The Create a new app integration window appears.
-
Select the SAML 2.0 radio button.
-
Click Next.
The General Settings options appear.
-
In the App name text box, type a name for your application.
-
(Optional) To add a custom logo for the application, in the App logo section, upload a .png, .jpeg, or .gif file and click Apply.
-
Click Next.
The Configure SAML options appear.
-
In the Single sign-on URL text box, type the following URL:
https://PLACEHOLDER/saml/module.php/saml/sp/saml2-acs.php/1Where PLACEHOLDER is the IP address or hostname for your Tenable Security Center instance.
-
Select the Use this for Recipient URL and Destination URL checkbox.
-
In the Audience URI (SP Identity ID) text box, type the following placeholder text:
https://tenable.sc -
Ensure the Default RelayState text box is blank.
-
In the Name ID format drop-down, select Unspecified.
-
In the Application username drop-down, select Email.
-
In the Update application username on drop-down, select Create and update.
-
Do not change any other configuration options.
-
Click Next.
The Feedback options appear.
-
(Optional) Provide any feedback you want to include.
-
Click Finish.
Okta saves your application configuration.
-
In the applications list, select the newly added application configuration.
Application details appear.
-
In the Actions drop-down menu, click View IdP Metadata.
Okta redirects you to another page, where you can view the metadata file.
-
In your browser, save the resulting file as metadata.xml.
Your browser downloads the metadata.xml file.
Enable Tenable Security Center SAML
Once you have downloaded your medata.xml file, you can use it to configure SAML in Tenable Security Center. You can configure this directly in the Tenable Security Center application.
To set up the Tenable Security Center SAML configuration:
- In your browser, navigate to Tenable Security Center.
-
In the left navigation, click System > Configuration.
The Configuration page appears.
-
Click the SAML button.
The SAML Configuration page appears.
-
In the General section, confirm the SAML toggle is enabled.
-
In the Source drop-down box, select Import.
The page updates to display additional options.
-
In the Type drop-down box, select SAML 2.0.
-
Click Choose File and browse to the SAML metadata file from your identity provider.
Note: The metadata file must match the Type you selected. If Tenable Security Center rejects the file, contact your identity provider for assistance.
-
Click Submit.
Tenable Security Center saves your configuration.
-
For the configuration you just created, click Download SAML Configuration XML.
Your browser downloads the metadata.xml file. You can now use this file for final configuration in your IdP.
Okta: Configure Final Application Integration and Upload Metadata
Now that you have downloaded the completed metadata file, you can use that file to create a permanent Tenable application in Okta.
-
In your browser, navigate to the Okta Admin portal.
-
In the left navigation menu, click Applications > Applications.
The Applications page appears.
-
Click Browse App Catalog.
-
Select the application you previously created.
-
In the SAML Settings section, click Edit.
The Edit SAML Integration window appears.
-
Click Next.
The Configure SAML options appear.
-
In the Single sign-on URL text box, type the URL listed in the metadata.xml file that you downloaded from Tenable Security Center.
Tip: This URL is in the following format: https://PLACEHOLDER/saml/module.php/saml/sp/saml2-acs.php/1 -
In the Audience URI (SP Identity ID) text box, type ID listed in the metadata.xml file that you downloaded from Tenable Security Center.
Tip: This ID is in the following format: https://tenable.sc -
Click Save.
Okta saves your changes to the application.
Assign the Okta Application to your Users
To assign the application to your users or groups:
-
In the left navigation menu, click Applications > Applications.
-
Next to your newly created application configuration, click the button.
-
Assign the application to one or more users or groups:
-
Click Assign to Users.
-
Click Assign to Groups.
An Assign window appears.
-
-
Next to the user or group to which you want to assign the application, click Assign.
A confirmation window appears.
-
Click Save and Go Back.
-
Repeat for each user or group to which you want to assign the application.
-
Click Done.
Okta saves your changes, and you can now configure the final piece of the SAML configuration within Tenable Security Center.
Finalize the Tenable Security Center SAML Configuration
Once you've set up your application within your IdP, you can finalize your SAML configuration via the Tenable Security Center interface.
To finalize the Tenable Security Center SAML configuration:
-
Log in to Tenable Security Center via the user interface.
Note: You must log in with a user account belonging to the organization where you want to create a new user. -
Click Users > Users.
The Users page appears.
-
Click Add.
The Add User page appears.
-
(Optional) Type a First Name and Last Name for the user.
-
In the Type drop-down list, select SAML.
-
In the Username box, type the user's SAML username exactly as it appears in the IdP user configuration that you created for the user.
-
Select a Time Zone.
-
(Optional) Select a Scan Result Default Timeframe.
-
(Optional) Enable Cached Fetching.
-
Select a Role. For more information, see User Roles in the Tenable Security Center User Guide.
-
Select a Group. For more information, see Organizations and Groups in the Tenable Security Center User Guide.
-
(Optional) To customize the user's object and user account management permissions, modify the Group Permissions. For more information, see Custom Group Permissions in the Tenable Security Center User Guide.
-
(Optional) To share an asset list with the user, select an Asset. For more information, see Assets in the Tenable Security Center User Guide.
-
(Optional) Type Contact Information for the user.
-
Click Submit.
Tenable Security Center saves your changes, and your SAML configuration is ready for use.
Additional Resources
For more information on Okta IdP configuration, see the following resources: