Configure SSO/SAML Authentication in FedRAMP Containers
You can configure single sign-on (SSO)/Security Assertion Markup Language (SAML) authentication in FedRAMP containers so users can use provider-initiated SSO when logging in to Tenable.io. By default, SSO is not enabled.
Tip: These instructions are only for FedRAMP environments. If you are using a commercial Tenable.io environment, you can configure self-service SAML.
Note: Using SAML for your account does not disable traditional login.
SAML 2.0-based authentication (for example, Okta or OneLogin)
Shibboleth 1.3 authentication
Note: If you configure SSO authentication, Tenable.io does not log user actions to the audit log. This information may be available from the identity services provider you use.
Note: Tenable does not currently support a SP-Initiated SAML flow. Because it must be initiated from the Identity Provider side, navigating directly to https://cloud.tenable.com does not allow SSO. Additionally, all users must have an account configured in Tenable.io that matches their SSO login.
Step 1: Configure SSO on the Tenable.io Side
To configure SSO authentication:
Get the Identity Provider (IdP) .xml metadata file from your SAML provider.
Note: Follow your SAML providers instructions to generate the IdP .xml file.
Contact your sales team and provide the IdP .xml file and a valid Tenable.io email address.
Note: The estimated turnaround time for this request is approximately 15 days.
Note: If you are using ADFS or Azure AD as your IdP, the metadata may contain two (or more) signing certificates. Instead, follow the instructions in Configure Tenable.io with ADFS SAML.
Step 2: Configure SSO on the SAML Side
Note: These terms may vary between SSO providers.
To manually configure SSO on the SAML side:
On the SAML side, configure the following parameters:
ACS/Single Sign On URL: https://fedcloud.tenable.com/saml/login/<SAML_UUID>;
NameID Format: Unspecified
NameID Value: The username of the existing user account in Tenable.io. Typically this is the user's email address, but can be any unique identifier in [email protected] format.
The IDP metadata was generated incorrectly
The IDP metadata included the incorrect certificate
The SSO login does not match the Tenable.io login
For more information on troubleshooting configuration failures, see the FedRAMP SAML/SSO Configuration Guidance Quick Reference Guide.