Tenable One: Google Workspace IdP

One of the most common IdPs used to configure SAML with Tenable One is Google Workspace. The following steps guide you through the configuration process from start to finish, including optional configurations associated with user role and group mapping.

Tip: Most service status changes in Google Workspace take effect within in a few minutes. Keep this in mind as you start using your SAML configurations. To learn more, see How Changes Propagate to Google Services.

Manual configuration requires the following:

  • ACS URL: A custom URL provided by Tenable in the following format:

    https://cloud.tenable.com/saml/login/PLACEHOLDER

  • Entity ID: A custom ID provided by Tenable during SAML configuration in the following format:

    TENABLE_IO_PLACEHOLDER

  • A certificate within the SAML metadata object that matches the data originally sent to Tenable.

    Note: Tenable does not support the use of multiple certificates and only extracts the first certificate from the metadata object. If the object includes multiple certificates, you must specify which certificate to use if it is not the first one listed.

Google Workspace: Create Initial Application Integration

To create an application in Google Workspace:

  1. In your browser, sign in to the Google Admin console.

  2. In the navigation menu, navigate to Apps > Web and mobile apps.

    The Web and mobile apps page appears.

  3. Click Add App > Add custom SAML app.

    The App details pane appears.

  4. In the App name text box, type a name for your application (for example, Tenable One).

  5. Click Continue.

    The Google Identity Provider details pane appears.

  6. Skip Option 1 and Option 2 and click Continue.

    The Service provider details pane appears.

  7. In the ACS URL text box, type the following placeholder URL:

    https://cloud.tenable.com/saml/login/PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration. This link is case-sensitive.

  8. In the Entity ID text box, type the following placeholder text:

    TENABLE_IO_PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration.

  9. Click Continue.

    The Attribute mapping pane appears.

  10. Click Finish.

    The application details appear.

  11. Click Download Metadata.

    The Download metadata page appears.

  12. Under Option 1: Download IdP metadata, click Download Metadata.

    Your browser downloads the metadata.xml file.

  13. Click Close.

Tenable One SAML Configuration

Once you have downloaded your medata.xml file, you can use it to configure SAML in Tenable One. You can configure this directly in the Tenable Vulnerability Management application.

To set up the Tenable One SAML configuration:

  1. In your browser, navigate to Tenable One.
  2. On the Workspace page, click Tenable Vulnerability Management.

    The Tenable Vulnerability Management user interface appears.

  3. In the upper-left corner, click the button.

    The left navigation plane appears.

  4. In the left navigation plane, click Settings.

    The Settings page appears.

  5. Click the SAML tile.

    The SAML page appears.

  6. In the action bar, click Create.

    The SAML Settings page appears.

  7. Do one of the following:

    1. In the first drop-down box, select Import XML.

      Note: Import XML is selected by default.

    2. The Type drop-down box specifies the type of identity provider you are using. Tenable One supports SAML 2.0 (for example, Okta, OneLogin, etc.).

      This option is read-only.

    3. Under Import, click Add File.

      A file manager window appears.

    4. Select the metadata.xml file.

      The metadata.xml file is uploaded.

    1. In the first drop-down box, select Manual Entry.

      A SAML configuration form appears.

    2. Configure the settings described in the following table:

      Settings Description
      Enabled toggle

      A toggle in the upper-right corner that indicates whether the SAML configuration is enabled or disabled.

      By default, the Enable setting is set to Enabled. Click the toggle to disable SAML configuration.
      Type Specifies the type of identity provider you are using. Tenable One supports SAML 2.0 (for example, Okta, OneLogin, etc.).

      This option is read-only.

      Description A description for the SAML configuration.
      IdP Entity ID

      The unique entity ID that your IdP provides.

      Note: If you want to configure multiple IdPs for a user account, create a new configuration for each identity provider with separate identity provider URLs, entity IDs, and signing certificates.
      IdP URL The SAML URL for your IdP.
      Certificate

      Your IdP security certificate or certificates.

      Note: Security certificates are found in a metadata.xml file that your identity provider provides. You can copy the content of the file and paste it in the Certificate box.
      User Auto Provisioning Enabled

      A toggle that indicates whether automatic user account creation is enabled or disabled. Automatic account provisioning allows users with an account for the IdP named in the SAML configuration to create a Tenable Vulnerability Management account the first time they log in via the IdP.

      Note: This option only appears during intial configuration if the setup is manual. Otherwise, you must edit the configuration after initial setup to enable this option.
      IdP Assigns User Role at Provisioning To assign a user role during provisioning, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.

      To obtain the UUID for a user role, go to Settings > Access Control > Roles.

      Note: This option only appears during intial configuration if the setup is manual. Otherwise, you must edit the configuration after initial setup to enable this option.
      IdP Resets User Role at Each Login

      To assign a role each time a user logs in, overwriting the current role with the one chosen in your IdP, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.

      To obtain the UUID for a user role, go to Settings > Access Control > Roles.

      Note: This option only appears during intial configuration if the setup is manual. Otherwise, you must edit the configuration after initial setup to enable this option.
      Group Management Enabled Enable this toggle to allow the Tenable One SAML configuration to manage user groups. You must enable this toggle for the Managed by SAML option to function successfully.

  8. Click Save.

    Tenable Vulnerability Management saves your SAML configuration and you return to the SAML page.

  9. Click on the SAML configuration you just created.

    The SAML Settings page appears.

  10. Copy both the URL and Entity ID values. You will need both of these values for the final configuration in your IdP.

Optional: Configure One or More User Groups to Automatically Add a User upon SAML Login

User groups allow you to manage user permissions for various resources in Tenable One. When you assign users to a group, the users inherit the permissions assigned to the group. When you enable the Managed by SAML option for a user group, Tenable One allows you to automatically add any user that logs in via SAML to that group.

Important: For this option to work successfully, you must also configure the related group claim within your IdP. View the final IdP configuration steps for more information.

Before you begin:

Ensure you've enabled the Group Management Enabled toggle when configuring the SAML settings within Tenable One.

To enable the Managed by SAML option:

  1. In Tenable Vulnerability Management, in the upper-left corner, click the button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears.

  4. Click the Groups tab.

    The Groups page appears.

  5. In the user groups table, click the user group to which you want to automatically add your SAML users.

    The Edit User Group page appears.

  6. In the General section, select the Managed by SAML check-box.

  7. Click Save. Tenable Vulnerability Management saves your changes. Once you configure the related claim within your IdP, any time a user logs in via your SAML configuration, Tenable One automatically adds them to the specified user group.

Google Workspace: Configure Final Application Integration and Upload Metadata

Now that you have completed your Tenable One SAML configurations and copied the associated URL and Entity ID values, you can update your Tenable application in Google Workspace.

  1. In your browser, navigate to the Google Admin console.

  2. In the navigation menu, navigate to Apps > Web and mobile apps.

    The Web and mobile apps page appears.

  3. Select the newly created application.

    The application details appear.

  4. Click on the Service provider details section.

    The Settings page appears.

  5. In the ACS URL text box, replace the placeholder value with the previously saved URL value.

    Tip: This URL is in the following format: https://cloud.tenable.com/saml/login/PLACEHOLDER.

  6. In the Entity ID text box, replace the placeholder value with the previously saved Entity ID value.

    Tip: This ID is in the following format: TENABLE_IO_PLACEHOLDER.

  7. Click Save.

    Google Workspace saves your changes to the permanent application, and your SAML configuration is ready for use.

Optional: Finalize Configuration for Managed by SAML Group Option

If you configured the Managed by SAML option to automatically add any user that logs in via SAML to a user group, then you must configure a related group claim within Google Workspace.

To configure the IdP group claim:

  1. In your browser, navigate to the Google Admin console.

  2. In the navigation menu, navigate to Apps > Web and mobile apps.

    The Web and mobile apps page appears.

  3. Select the newly created application.

    The application details appear.

  4. Click SAML attribute mapping.

    The Attributes page appears.

  5. In the Group membership section:

    1. In the Google groups search box, search for (and select) the appropriate Google Workspace group.

    2. In the App attribute text box, type groups.

  6. Click Save. Any time a user logs in via your SAML configuration, Tenable One automatically adds them to the specified user group in Tenable One.

Optional: Configure Managed by SAML Role Option

Roles allow you to manage privileges for major functions in Tenable One and control which Tenable One resources users can access. If you toggled on the SAML configuration options IdP Assigns User Role at Provisioning and/or IdP Resets User Role at Each Login (to automatically add and/or assign any user that logs in via SAML to a user role), then you must complete the following three steps in Google Workspace:

Add a Custom Attribute for Roles

To add a custom attribute for roles:

  1. In the navigation menu, navigate to Directory > Users.

    The Users page appears.

  2. Click More options > Manage custom attributes.

    The Manage user attributes page appears.

  3. Click Add Custom Attribute.

    The Add custom fields page appears.

  4. In the Category text box, type a category name (e.g. Tenable).

  5. In the Custom fields section:

    1. In the Name text box, type a name for this attribute (e.g. User Role UUID).

    2. In the Info type drop-down, select Text.

    3. In the Visibility drop-down, select your preferred visibility.

    4. In the No. of values drop-down, select Single Value.

  6. Click Add.

Configure the Attribute for a User

To configure the attribute for a user (with a user role UUID):

  1. On the Users page, click the name of the user for which you want to configure the attribute.

    The user configuration page appears.

  2. In the User Details section, click User information.

    The User Details page appears.

  3. Click on the recently created custom attribute.

  4. In the text box, type the UUID of the Tenable user role.

    Tip: Tenable user role UUIDs can be found in Tenable Vulnerability Management, in the Settings > Access Control > Roles table.

  5. Click Save.

Configure the Role Claim

To configure the role claim:

  1. In the navigation menu, navigate to Apps > Web and mobile apps.

    The Web and mobile apps page appears.

  2. Select the newly created application.

    The application details appear.

  3. Click SAML attribute mapping.

    The Attributes page appears.

  4. In the Google Directory attributes drop-down, select the appropriate Google Workspace custom attribute for the user role.
  5. In the App attributes text box, type userRoleUuid.
  6. Click Save.

    Any time a user logs in via your SAML configuration, Tenable One automatically adds them to the specified user role.

Additional Resources

For more information on Google Workspace IdP configuration, see the following resources: