Tenable One: Ping Identity IdP

One of the most common IdPs used to configure SAML with Tenable One is Ping Identity. The following steps guide you through the configuration process from start to finish.

Manual configuration requires the following:

  • ACS URL: A custom URL provided by Tenable in the following format:

    https://cloud.tenable.com/saml/login/PLACEHOLDER
  • Entity ID: A custom ID provided by Tenable during SAML configuration in the following format:

    TENABLE_IO_PLACEHOLDER
  • A certificate within the SAML metadata object that matches the data originally sent to Tenable.

    Note: Tenable does not support the use of multiple certificates and only extracts the first certificate from the metadata object. If the object includes multiple certificates, you must specify which certificate to use if it is not the first one listed.
  • A user in Tenable One that also matches a user created within Ping Identity. For more information on creating users, see:

Ping Identity: Create Temporary Application

To create a temporary application in Ping Identity:

  1. In your browser, navigate to the Ping Identity admin portal.

  2. In the left navigation menu, navigate to Connections > Applications.

    The Applications page appears.

  3. At the top of the page, click the button.

    The Add Application page appears.

  4. In the Application Name box, type a name for your temporary application.

  5. Click the SAML Application tile.

  6. Click Configure.

    The SAML Configuration page appears.

  7. In the Provide Application Metadata section, select the Manually Enter radio button.

  8. In the ACS URLs text box, type the following placeholder text:

    https://cloud.tenable.com/saml/login/PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration. This link is case-sensitive.
  9. In the Entity ID text box, type the following placeholder text:

    TENABLE_IO_PLACEHOLDER
    Note: You will later replace PLACEHOLDER with a unique UUID for the SAML configuration.
  10. Click Save.

    A success message appears and Ping Identity directs you to an overview page for the application.

  11. At the top of the page, click Configuration.

    The Connection Details appear.

  12. Click Download Metadata.

    Your browser downloads the metadata.xml file.

Tenable One SAML Configuration

Once you have downloaded your medata.xml file, you can use it to configure SAML in Tenable One. You can configure this directly in the Tenable Vulnerability Management application.

To set up the Tenable One SAML configuration:

  1. In your browser, navigate to Tenable One.
  2. On the Workspace page, click Tenable Vulnerability Management.

    The Tenable Vulnerability Management user interface appears.

  3. In the upper-left corner, click the button.

    The left navigation plane appears.

  4. In the left navigation plane, click Settings.

    The Settings page appears.

  5. Click the SAML tile.

    The SAML page appears.

  6. In the action bar, click Create.

    The SAML Settings page appears.

  7. Do one of the following:

  8. Click Save.

    Tenable Vulnerability Management saves your SAML configuration and you return to the SAML page.

  9. In the row for the SAML configuration you just created, click the button.

    An actions menu appears.

  10. Click Download SAML SP metadata.

    Your browser downloads the metadata.xml file. You can now use this file for final configuration in your IdP.

Optional: Configure One or More User Groups to Automatically Add a User upon SAML Login

User groups allow you to manage user permissions for various resources in Tenable One. When you assign users to a group, the users inherit the permissions assigned to the group. When you enable the Managed by SAML option for a user group, Tenable One allows you to automatically add any user that logs in via SAML to that group.

Important: For this option to work successfully, you must also configure the related group claim within your IdP. View the final IdP configuration steps for more information.

Before you begin:

Ensure you've enabled the Group Management Enabled toggle when configuring the SAML settings within Tenable One.

To enable the Managed by SAML option:

  1. In Tenable Vulnerability Management, in the upper-left corner, click the button.

    The left navigation plane appears.

  2. In the left navigation plane, click Settings.

    The Settings page appears.

  3. Click the Access Control tile.

    The Access Control page appears.

  4. Click the Groups tab.

    The Groups page appears.

  5. In the user groups table, click the user group to which you want to automatically add your SAML users.

    The Edit User Group page appears.

  6. In the General section, select the Managed by SAML check-box.

  7. Click Save. Tenable Vulnerability Management saves your changes. Once you configure the related claim within your IdP, any time a user logs in via your SAML configuration, Tenable One automatically adds them to the specified user group.

Ping Identity: Create Permanent Application and Import Metadata

Now that you have downloaded the completed metadata file, you can use that file to create a permanent Tenable application in Ping Identity.

  1. In your browser, navigate to the Ping Identity admin portal.

  2. In the left navigation menu, navigate to Connections > Applications.

    The Applications page appears.

  3. Delete the temporary application you previously created.

  4. At the top of the page, click the button.

    The Add Application page appears.

  5. In the Application Name box, type a name for your permanent application.

  6. Click the SAML Application tile.

  7. Click Configure.

    The SAML Configuration page appears.

  8. In the Provide Application Metadata section, select the Import Metadata radio button.

  9. In your file manager, select the Service Provider metadata.xml file that you downloaded from Tenable Vulnerability Management.

    Ping Identity imports the metadata from the file, including the ACS URL and Entity ID specific to the SAML configuration.

  10. Click Save.

  11. On the Applications page, enable the toggle for the permanent Tenable application you created.

  12. Click the name of the application you created.

    The overview page for the application appears.

  13. At the top of the page, click the Attribute Mappings tab.

    Attribute mapping options appear.

  14. In the upper-right corner, click the button.

    The PingOne Mappings item becomes editable.

  15. In the drop-down menu, select Email Address.

  16. Click Save.

    Ping Identity saves your changes to the permanent application, and your SAML configuration is ready for use.

Optional: Finalize Configuration for Managed by SAML Group Option

If you configured the Managed by SAML option to automatically add any user that logs in via SAML to a user group, then you must configure a related group claim within the Microsoft Entra ID IdP.

To configure the IdP group claim:

  1. In Ping Identity, on the overview page for your application, click the Attribute Mappings tab.

    Attribute mapping options appear.

  2. In the upper-right corner, click the button.

  3. Add a new attribute mapping:

    1. In the Tenable column, type groups.

    2. In the PingOne column, select Group Names.

  4. Click Save. Any time a user logs in via your SAML configuration, Tenable One automatically adds them to the specified user group in Tenable One.

Additional Resources

For more information on Ping Identity IdP configuration, see the following resources: