Initial Tenable Vulnerability Management FedRAMP SAML Configuration

Initial Pre-sales SAML Setup

The initial pre-sales SAML setup for FedRAMP customers includes the following steps:

  1. The Tenable customer creates an XML, IDP initiated SAML metadata object (for example, IDP.xml) and sends it to their Tenable representative.

    Note: The FedRAMP container Tenable includes one pre-defined Administrator user, which is based on the NameID parameter (an email address in user@domain format) specified in the SAML metadata object. This user is the only person who can log into the container upon initial creation. If the customer wants to allow additional domains to log in to the container upon creation, they must specify these additional domains ahead of time.

  2. Tenable extracts the certificate from this file and creates the FedRAMP container with a custom URL.

  3. Tenable sends the custom URL back to the customer.

  4. The customer can then finish their SAML setup using the URL.

SAML Setup for Manual Configuration of Customer SAML

Manual Configuration of Customer SAML requires the following:

  • Audience URI (SP Entity ID): NessusCloud (or a custom ID, only if specified by Tenable.) If the customer requires more than one FedRAMP container, Tenable requires different SP Entity IDs for each container.

  • Application Username: A mapped email address, or an address in user@domain format.

    Note: This must match the NameID parameter.

  • NameID: The address to use for the primary Administrator user in [email protected] or email address format.

  • Login URL: A custom URL provided by Tenable after provisioning the FedRAMP container.

  • A Certificate within the SAML metadata object that matches the data originally sent to Tenable.

    Note: We do not support the use of multiple certificates and only extract the first certificate from the metadata object. If the object includes multiple certificates, the customer must specify which certificate to use if it is not the first one listed.

After the customer successfully logs in using the primary Administrator login, they can create other user accounts within their FedRAMP container.