Configure SSO/SAML Authentication in FedRAMP Containers

You can configure single sign-on (SSO)/Security Assertion Markup Language (SAML) authentication in FedRAMP containers so users can use provider-initiated SSO when logging in to Tenable.io. By default, SSO is not enabled.

Tip: These instructions are only for FedRAMP environments. If you are using a commercial Tenable.io environment, you can configure self-service SAML.

Note: Using SAML for your account does not disable traditional login.

Tenable.io supports:

  • SAML 2.0-based authentication (for example, Okta or OneLogin)

  • Shibboleth 1.3 authentication

Note: If you configure SSO authentication, Tenable.io does not log user actions to the audit log. This information may be available from the identity services provider you use.

Note: Tenable does not currently support a SP-Initiated SAML flow. Because it must be initiated from the Identity Provider side, navigating directly to https://cloud.tenable.com does not allow SSO. Additionally, all users must have an account configured in Tenable.io that matches their SSO login.

Step 1: Configure SSO on the Tenable.io Side

To configure SSO authentication:

  1. Get the Identity Provider (IdP) .xml metadata file from your SAML provider.

    Note: Follow your SAML providers instructions to generate the IdP .xml file.

  2. Contact your sales team and provide the IdP .xml file and a valid Tenable.io email address.

    Note: The estimated turnaround time for this request is approximately 15 days.

    Note: If you are using ADFS or Azure AD as your IdP, the metadata may contain two (or more) signing certificates. Instead, follow the instructions in Configure Tenable.io with ADFS SAML.

Step 2: Configure SSO on the SAML Side

Note: These terms may vary between SSO providers.

To manually configure SSO on the SAML side:

On the SAML side, configure the following parameters:

  • ACS/Single Sign On URL: https://fedcloud.tenable.com/saml/login/<SAML_UUID>;

  • NameID Format: Unspecified

  • NameID Value: The username of the existing user account in Tenable.io. Typically this is the user's email address, but can be any unique identifier in format.

  • Audience: NessusCloud

Note: The following are the most common reasons that SAML configuration fails:
  • The IDP metadata was generated incorrectly

  • The IDP metadata included the incorrect certificate

  • The SSO login does not match the Tenable.io login

For more information on troubleshooting configuration failures, see the FedRAMP SAML/SSO Configuration Guidance Quick Reference Guide.