You can configure SAML authentication so that
- SAML 2.0-based authentication (for example, Okta, OneLogin, or Microsoft ADFS)
- Shibboleth 1.3 authentication
For more information, see:
- Configure SAML Authentication Automatically via the User Interface
- Configure SAML Authentication Manually via the User Interface
- Configure SAML Authentication via the SimpleSAML Module
After you configure SAML authentication, create
- To manually add SAML-authenticated users in
Tenable.sc, see Add a SAML-Authenticated User.
- To automatically add SAML-authenticated users by importing users from your SAML identity provider, see SAML User Provisioning.
Then, users with SAML-authenticated accounts can log in to
Considerations for Advanced SAML Features
For information about
Note: Tenable Support does not assist with configuring or troubleshooting advanced SAML features.
Specifies whether SAML authentication is enabled or disabled.
If you disable SAML, the system clears your SAML configuration settings and prevents SAML-authenticated user accounts from accessing Tenable.sc.
Specifies your SAML configuration method:
|Type||Specifies the identity provider you are using: SAML 2.0 (e.g., Okta, OneLogin, etc.)
The name of the Entity ID attribute. Type the attribute exactly as it appears in your identity provider SAML configuration.
Tip: This is the Federation Service Identifier value in Microsoft ADFS.
|Identity Provider (IdP)||
The identity provider identifier string.
The name of the SAML username attribute. Type the attribute exactly as it appears in your identity provider SAML configuration.
For example, if your SAML username attribute is NameID, specify NameID to instruct Tenable.sc to recognize users who match the format NameID=username.
Single Sign-on Service
|The identity provider URL where users log in via single sign-on. Type the URL exactly as it appears in your identity provider SAML metadata.|
Single Logout Service
|The identity provider URL where users log out. Type the URL exactly as it appears in your identity provider SAML metadata.|
|Certificate Data||The text of the identity provider's X.509 SSL certificate, without the ===BEGIN CERT=== and the
You can enable user provisioning to automatically create SAML-authenticated users in
Note: If you want to delete a Tenable.sc user that was created via SAML user provisioning, delete the user from your SAML identity provider. If you delete a user in Tenable.sc that was created via SAML user provisioning without deleting the user in your SAML identity provider, Tenable.sc automatically re-creates the user in Tenable.sc the next time they log in using your SAML identity provider.
|User Data Sync||
If you enabled User Provisioning, you can enable User Data Sync to allow Tenable.sc to automatically synchronize contact information from your SAML identity provider for Tenable.sc users created via SAML user provisioning. For more information, see SAML User Provisioning.
Note: If you want to edit a Tenable.sc user that was created via SAML user provisioning and you enabled User Data Sync, edit the user in your SAML identity provider. Otherwise, the Tenable.sc user data sync overwrites your changes the next time the user logs in to Tenable.sc using your SAML identity provider.
Note: Tenable.sc does not update required fields (Organization ID, Group ID, and Role ID). To change the organization, group, or role for a user created via SAML user provisioning, see Manage User Accounts.