Configure LDAP User Provisioning

Required User Role: Administrator

You can enable user provisioning to automatically create LDAP-authenticated users in Tenable Security Center by importing user accounts from your LDAP identity provider. When user provisioning is enabled, users who log in to your LDAP identity provider are automatically created in Tenable Security Center.

Tenable Security Center supports the following LDAP authentication systems for user provisioning:

  • Active Directory on Microsoft Server 2016 (on-premises)

  • Active Directory on Microsoft Server 2019 (on-premises)

For more information, see LDAP User Provisioning.

To manually create LDAP-authenticated users in Tenable Security Center, see Add an LDAP-Authenticated User.

For more information about user account configuration options, see LDAP User Account Options.

Before you begin:

  1. (Recommended) Create a backup of your user directory in your LDAP identity provider.

  2. In Tenable Security Center, add an LDAP server, as described in Add an LDAP Server.

  3. In your LDAP identity provider, create the following custom user attributes: tenableRoleID, tenableGroupID, and tenableOrgID.

  4. In your LDAP identity provider, specify the role, group, and organization you want to assign the user in Tenable Security Center:

    1. In the tenableRoleID attribute field, type the ID for the Tenable Security Center role you want to assign to the user. To locate the ID for a role, see View User Role Details.

    2. In the tenableGroupID attribute field, type the ID for the Tenable Security Center group you want to assign to the user. To locate the ID for a group, see View Group Details.

    3. In the tenableOrgID attribute field, type the ID for the Tenable Security Center organization you want to assign to the user. To locate the ID for an organization, see View Organization Details.

To enable LDAP user provisioning for an LDAP server:

  1. Log in to Tenable Security Center Director via the user interface.

  2. In the top navigation bar, click Resources > LDAP Servers.

    The LDAP Servers page appears.

  3. Right-click the row for the LDAP server where you want to enable user provisioning.

    The actions menu appears.

    -or-

    Select the check box for the LDAP server where you want to enable user provisioning.

    The available actions appear at the top of the table.

  4. Click Edit.

    The Edit LDAP Server page appears.

  5. In the Server Settings section, click the toggle to enable User Provisioning.

  6. (Optional) To automatically update contact information (first name, last name, email address, and phone number) for users created via LDAP user provisioning, click the User Data Sync toggle. For more information about User Data Sync, see LDAP Authentication Options.

  7. (Optional) In the User Schema Settings section, type the names of the attributes in your LDAP identity provider you want to use to populate the Username, Email, Phone, First Name, and Last Name for users created via LDAP user provisioning. For more information about user account options, see LDAP User Account Options.

    Note: If you enable User Data Sync and configure the options in the User Schema Settings section, Tenable Security Center automatically updates the attributes in the User Schema Settings section with values from your LDAP identity provider. For more information, see LDAP Authentication Options.

  8. Click Submit.

    Tenable Security Center Director saves your configuration.