Configure SAML Authentication via the SimpleSAML Module

Tip: The recommended method for configuring SAML authentication is via the Tenable.sc interface:

Required User Role: Administrator

If you encounter issues configuring SAML via the Tenable.sc interface, you can use a hidden SimpleSAML module to automatically configure SAML authentication.

For general information, see SAML Authentication.

Before you begin:

  • Save your identity provider SAML metadata file to a directory on your local computer.

To configure SAML authentication via the SimpleSAML module:

  1. Log in to Tenable.sc Director via the user interface.

  2. In the top navigation bar, click System > Configuration.

    The Configuration page appears.

  3. Click the SAML button.

    The SAML Configuration page appears.

  4. Type placeholder values into all SAML configuration options. You do not need to configure valid values.

  5. Click Submit.

    Tenable.sc Director saves your configuration.

  6. Log in to Tenable.sc Director via the command line interface (CLI).

  7. Navigate to and open the /opt/sc/support/etc/SimpleSAML/config/authsources.php file.
  8. Copy and paste the following text into the file, between the ), line and the ); line:

    // This is a authentication source which handles admin authentication.

    'admin' => array(

    // The default is to use core:AdminPassword, but it can be replaced with

    // any authentication source.

     

    'core:AdminPassword',

    ),

  9. Save the file.
  10. In a browser, navigate to https://<Tenable.sc IP address or hostname>/saml/module.php/core/frontpage_config.php.

    The SimpleSAML.php installation page appears.

  11. On the Configuration tab, click Login as administrator.

    The Enter your username and password page appears.

  12. In the Username box, type admin.
  13. In the Password box, type admin.
  14. Click Login.

  15. On the Federation tab, in the Tools section, click XML to SimpleSAML.php metadata converter.

    The Metadata parser page appears.

  16. Click Choose File and select your identity provider SAML metadata file.
  17. Click Parse.

    Tenable.sc Director validates the identity provider SAML metadata file. If the metadata file is supported, Tenable.sc Director populates the XML metadata box with content from your metadata file. If the metadata file is not supported, you cannot use it for SAML authentication in Tenable.sc Director.

  18. In the saml20-idp-remote section, copy the text in the box.
  19. Log in to Tenable.sc Director via the command line interface (CLI).

  20. Navigate to and open the /opt/sc/support/etc/SimpleSAML/metadata/saml20-idp-remote.php file (for SAML 2.0) or /opt/sc/support/etc/SimpleSAML/metadata/shib13-idp-remote.php file (for Shibboleth 1.3).

  21. Paste the text into the file, after the <?php line.

  22. Save the file.
  23. Navigate to and open the /opt/sc/support/etc/SimpleSAML/config/authsources.php file again.
  24. Confirm the idp URL in the authsources.php file matches the $metadata URL in the saml20-idp-remote.php or shib13-idp-remote.php file:

    Valid authsources.php syntax example:

    'idp' => 'http://www.okta.com/abcdefghijKLmnopQr0s1'

    Valid saml20-idp-remote.php or shib13-idp-remote.php syntax example:

    $metadata['http://www.okta.com/abcdefghijKLmnopQr0s1']
  25. In a browser, navigate to https://<Tenable.sc IP address or hostname>/saml/module.php/core/frontpage_config.php.

    The SimpleSAML.php installation page appears.

  26. On the Authentication tab, click Test configured authentication sources.

    The Test authentication sources page appears.

  27. Click 1.

    Your identity provider login page appears.

  28. Log in to your identity provider.

    The SAML 2.0 SP Demo Example page appears. If this page does not appear, the configuration did not succeed.

What to do next:

  • In the Tenable.sc interface, on the SAML Configuration page, click Download SAML Configuration XML, save the .xml file locally, and use it to configure your identity provider SAML configuration. For more information, see SAML Authentication XML Configuration Examples.
  • Add SAML-authenticated user accounts.
  • Instruct users to log in to Tenable.sc Director using the Sign In Using Identity Provider button, as described in Log In to the Web Interface.