SAML Authentication XML Configuration Examples
Identity provider SAML configurations vary widely, but you can use the following examples to guide your SAML-side configurations.
In the OneLogin SAML configuration, paste data from your .xml download file.
OneLogin Field | Description |
---|---|
Relay State |
Leave this field blank. |
Audience | Type tenable.sc. |
Recipient | Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center. |
ACS (Consumer) URL Validatior | Type -*. |
ACS (Consumer) URL | Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center. |
Single Logout URL | Type https://<Tenable Security Center host>/saml/module.php/saml/index.php?sls, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center. |
In the Okta SAML configuration, paste data from your .xml download file.
Okta Field | Description |
---|---|
General | |
Single Sign On URL | Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center. |
Recipient URL | Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center. |
Destination URL | Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center. |
Audience Restriction | Type tenable.sc. |
Default Relay State | Leave this field blank. |
Name ID Format | Set to Unspecified. |
Response | Set to Signed. |
Assertion Signature | Set to Signed. |
Signature Algorithm | Set to RSA_SHA256. |
Digest Algorithm | Set to SHA256. |
Assertion Encryption | Set to Unencrypted. |
SAML Single Logout | Set to Disabled. |
authnContextClassRef | Set to PasswordProtectedTransport. |
Honor Force Authentication | Set to Yes. |
SAML Issuer ID | Type http://www.okta.com/${org.externalKey}. |
Attribute Statements | |
FirstName | Set to Name Format: Unspecified and Value: user.firstName. |
LastName | Set to Name Format: Unspecified and Value: user.lastName. |
Set to Name Format: Unspecified and Value: user.email. | |
username |
Set to Name Format: Unspecified and one of the following:
|
In the Microsoft ADFS configuration, paste data from your .xml download file.
Microsoft ADFS Configuration | Description |
---|---|
Edit Authentication Methods window | |
Extranet | Select, at minimum, the Forms Authentication check box. |
Intranet | Select, at minimum, the Forms Authentication check box. |
Add Relying Party Trust wizard | |
Welcome section |
|
Specify Display Name section | In the Display Name box, type your Tenable Security Center FQDN. |
Configure Certificate section | Browse to and select the encryption certificate you want to use. |
Choose Access Control Policy section | Select the Permit everyone policy. |
Ready to Add Trust section |
|
Finish section | Select the Configure claims issuance policy for this application check box. |
Edit Claim Issuance Policy window |
Add one or more claim rules to specify the ADFS value you want Tenable Security Center to use when authenticating SAML users. For example: To transform an incoming claim:
To send LDAP attributes as claim:
Note:Tenable Support does not assist with claim rules. |