SAML Authentication XML Configuration Examples

Tip: Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to configure SAML for use with Tenable Security Center.

Identity provider SAML configurations vary widely, but you can use the following examples to guide your SAML-side configurations.

OneLogin Example

In the OneLogin SAML configuration, paste data from your .xml download file.

OneLogin Field Description
Relay State

Leave this field blank.

Audience Type https://tenable.sc.
Recipient Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center.
ACS (Consumer) URL Validatior Type -*.
ACS (Consumer) URL Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center.
Single Logout URL Type https://<Tenable Security Center host>/saml/module.php/saml/index.php?sls, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center.

Okta Example

In the Okta SAML configuration, paste data from your .xml download file.

Okta Field Description
General  
Single Sign On URL Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center.
Recipient URL Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center.
Destination URL Type https://<Tenable Security Center host>/saml/module.php/saml/sp/saml2-acs.php/1, where <Tenable Security Center host> is the IP address or hostname for Tenable Security Center.
Audience Restriction Type https://tenable.sc.
Default Relay State Leave this field blank.
Name ID Format Set to Unspecified.
Response Set to Signed.
Assertion Signature Set to Signed.
Signature Algorithm Set to RSA_SHA256.
Digest Algorithm Set to SHA256.
Assertion Encryption Set to Unencrypted.
SAML Single Logout Set to Disabled.
authnContextClassRef Set to PasswordProtectedTransport.
Honor Force Authentication Set to Yes.
SAML Issuer ID Type http://www.okta.com/${org.externalKey}.
Attribute Statements  
FirstName Set to Name Format: Unspecified and Value: user.firstName.
LastName Set to Name Format: Unspecified and Value: user.lastName.
Email Set to Name Format: Unspecified and Value: user.email.
username

Set to Name Format: Unspecified and one of the following:

  • Value: user.displayName, if your Tenable Security Center user account usernames are full names (e.g., Jill Smith).
  • Value: user.email, if your Tenable Security Center user account usernames are email addresses (e.g., [email protected]).
  • Value: user.login, if your Tenable Security Center user account usernames are name-based text strings (e.g., jsmith).

Microsoft ADFS Example

In the Microsoft ADFS configuration, paste data from your .xml download file.

Microsoft ADFS Configuration Description
Edit Authentication Methods window
Extranet Select, at minimum, the Forms Authentication check box.
Intranet Select, at minimum, the Forms Authentication check box.
Add Relying Party Trust wizard
Welcome section
  • Select Claims aware.
  • Select Import data about the relying party from a file.
  • Browse to and select the SAML configuration .xml file you downloaded from Tenable Security Center.

    Note: If you see a warning that some content was skipped, click Ok to continue.

Specify Display Name section In the Display Name box, type your Tenable Security Center FQDN.
Configure Certificate section Browse to and select the encryption certificate you want to use.
Choose Access Control Policy section Select the Permit everyone policy.
Ready to Add Trust section
  • On the Advanced tab, select SHA256 or the value dictated by your security policy.
  • On the Identifiers tab, confirm the information is accurate.
  • On the Endpoints tab, confirm the information is accurate.
Finish section Select the Configure claims issuance policy for this application check box.
Edit Claim Issuance Policy window

Add one or more claim rules to specify the ADFS value you want Tenable Security Center to use when authenticating SAML users. For example:

To transform an incoming claim:

  1. In Incoming claim type, select Email address or UPN.
  2. In Outgoing claim type, select Name ID.
  3. In Outgoing name ID format, select Transient Identifier.
  4. Select the Pass through all claim values check box.

To send LDAP attributes as claim:

  1. In Attribute store, select Active Directory.
  2. In LDAP Attribute, select E-Mail Addresses.
  3. In Outgoing Claim Type, select E-Mail Addresses.

Note:Tenable Support does not assist with claim rules.