SAML Authentication

You can configure SAML authentication so that Tenable Security Center users can use identity provider-initiated single sign-on (SSO) when logging in to Tenable Security Center. Tenable Security Center supports SAML 2.0-based authentication (for example, Okta, OneLogin, Microsoft ADFS, or Shibboleth 2.0).

For more information, see:

After you configure SAML authentication, create Tenable Security Center user accounts for each SAML user you want to grant access.

To manually add SAML-authenticated users in Tenable Security Center, see Add a SAML-Authenticated User.
To automatically add SAML-authenticated users by importing users from your SAML identity provider, see SAML User Provisioning.

Then, users with SAML-authenticated accounts can log in to Tenable Security Center using the Sign In Using Identity Provider button, as described in Log In to the Web Interface.

Considerations for Advanced SAML Features

Because Tenable Security Center cannot accept private keys to decrypt SAML assertions, Tenable Security Center does not support SAML assertion encryption. If you want to configure SAML authentication in Tenable Security Center, choose an identity provider that does not require assertion encryption and confirm that assertion encryption is not enabled.

For information about Tenable Security Center communications encryption, see Encryption Strength.

Note: Tenable Support does not assist with configuring or troubleshooting advanced SAML features.

SAML Authentication Options

Option	Description
SAML	Specifies whether SAML authentication is enabled or disabled. If you disable SAML, the system clears your SAML configuration settings and prevents SAML-authenticated user accounts from accessing Tenable Security Center.
Source	Specifies your SAML configuration method: Import — Configure SAML authentication by uploading the metadata file provided by your identity provider, as described in Configure SAML Authentication Automatically via the User Interface. Entry — Configure SAML authentication by manually configuring SAML options using data from the metadata file provided by your identity provider, as described in Configure SAML Authentication Manually via the User Interface.
Type	Specifies the identity provider you are using: SAML 2.0 (e.g., Okta, OneLogin, Shibboleth 2.0, etc.).
Entity ID	The name of the Entity ID attribute. Type the attribute exactly as it appears in your identity provider SAML configuration. Tip: This is the Federation Service Identifier value in Microsoft ADFS.
Identity Provider (IdP)	The identity provider identifier string. For example: The Identity Provider Issuer value in Okta. The Federation Service Identifier value in Microsoft ADFS.
Username Attribute	The name of the SAML username attribute. Type the attribute exactly as it appears in your identity provider SAML configuration. For example, if your SAML username attribute is NameID, specify NameID to instruct Tenable Security Center to recognize users who match the format NameID=username.
Single Sign-on Service	The identity provider URL where users log in via single sign-on. Type the URL exactly as it appears in your identity provider SAML metadata.
Single Logout Service	The identity provider URL where users log out. Type the URL exactly as it appears in your identity provider SAML metadata.
Certificate Data	The text of the identity provider's X.509 SSL certificate, without the ===BEGIN CERT=== and the `===END CERT===` strings.
User Provisioning	You can enable user provisioning to automatically create SAML-authenticated users in Tenable Security Center by importing user accounts from your SAML identity provider. When user provisioning is enabled, users who log into your SAML identity provider are automatically created in Tenable Security Center. For more information, see SAML User Provisioning. Note: If you want to delete a Tenable Security Center user that was created via SAML user provisioning, delete the user from your SAML identity provider. If you delete a user in Tenable Security Center that was created via SAML user provisioning without deleting the user in your SAML identity provider, Tenable Security Center automatically re-creates the user in Tenable Security Center the next time they log in using your SAML identity provider.
User Data Sync	If you enabled User Provisioning, you can enable User Data Sync to allow Tenable Security Center to automatically synchronize contact information from your SAML identity provider for Tenable Security Center users created via SAML user provisioning. For more information, see SAML User Provisioning. Note: If you want to edit a Tenable Security Center user that was created via SAML user provisioning and you enabled User Data Sync, edit the user in your SAML identity provider. Otherwise, the Tenable Security Center user data sync overwrites your changes the next time the user logs in to Tenable Security Center using your SAML identity provider. Note: Tenable Security Center does not update required fields (Organization ID, Group ID, and Role ID). To change the organization, group, or role for a user created via SAML user provisioning, see Manage User Accounts.