Configure SSO/SAML Authentication in FedRAMP Containers

You can configure single sign-on (SSO)/Security Assertion Markup Language (SAML) authentication in FedRAMP containers so users can use provider-initiated SSO when logging in to By default, SSO is not enabled.

Tip: These instructions are only for FedRAMP environments. If you are using a commercial environment, you can configure self-service SAML.

Note: Using SAML for your account does not disable traditional login. supports:

  • SAML 2.0-based authentication (for example, Okta or OneLogin)

  • Shibboleth 1.3 authentication

Note: If you configure SSO authentication, does not log user actions to the audit log. This information may be available from the identity services provider you use.

Note: Tenable does not currently support a SP-Initiated SAML flow. Because it must be initiated from the Identity Provider side, navigating directly to does not allow SSO. Additionally, all users must have an account configured in that matches their SSO login.

Step 1: Configure SSO on the Side

To configure SSO authentication:

  1. Get the Identity Provider (IdP) .xml metadata file from your SAML provider.

    Note: Follow your SAML providers instructions to generate the IdP .xml file.

  2. Contact your sales team and provide the IdP .xml file and a valid email address.

    Note: The estimated turnaround time for this request is approximately 15 days.

    Note: If you are using ADFS or Azure AD as your IdP, the metadata may contain two (or more) signing certificates. Instead, follow the instructions in Configure with ADFS SAML.

Step 2: Configure SSO on the SAML Side

Note: These terms may vary between SSO providers.

To manually configure SSO on the SAML side:

On the SAML side, configure the following parameters:

  • ACS/Single Sign On URL:<SAML_UUID>;

  • NameID Format: Unspecified

  • NameID Value: The username of the existing user account in Typically this is the user's email address, but can be any unique identifier in format.

  • Audience: NessusCloud

Note: The following are the most common reasons that SAML configuration fails:
  • The IDP metadata was generated incorrectly

  • The IDP metadata included the incorrect certificate

  • The SSO login does not match the login

For more information on troubleshooting configuration failures, see the FedRAMP SAML/SSO Configuration Guidance Quick Reference Guide.