Add a SAML Configuration
Required User Role: Administrator
You can manually enter the details for your SAML configuration or you can upload a metadata.xml file that you download from your identity provider (IdP).
Note: Once SAML is configured for a user, they must log in using the IdP Tile or the URL provided in the SP metadata file (for example, cloud.tenable.com/SAML/XXXXXX) and log back out before they can access the Sign in via SSO link on the Tenable Vulnerability Management login page.
Important: Because Tenable Vulnerability Management cannot accept private keys to decrypt SAML assertions, Tenable Vulnerability Management does not support SAML assertion encryption. If you want to configure SAML authentication in Tenable Vulnerability Management, choose an identity provider that does not require assertion encryption and confirm that assertion encryption is not enabled.
Before you begin:
Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to configure SAML for use with Tenable Vulnerability Management. This includes the following high-level steps:
-
Follow the steps described in your IdP's documentation to set up a SAML application for Tenable Vulnerability Management on your IdP account. Your IdP requires an entity ID and a reply URL for Tenable Vulnerability Management to set up the SAML application:
-
In your IdP account, download your metadata.xml file.
Note: Tenable does not currently support a SP-Initiated SAML flow. Because it must be initiated from the Identity Provider side, navigating directly to https://cloud.tenable.com does not allow SSO.
Important! All users must have an account configured in Tenable Vulnerability Management that matches their SSO login. You must ensure the SSO login matches the FULL Tenable account name (i.e., user@tenable.com).
To add a new SAML configuration:
-
In the upper-left corner, click the 
button.
The left navigation plane appears.
-
In the left navigation plane, click Settings.
The Settings page appears.
-
Click the SAML tile.
The SAML page appears.
-
In the action bar, click 
Create.
The SAML Settings page appears.
-
Do one of the following:
To provide configuration details by uploading the metadata.xml file from your IdP:
-
In the first drop-down box, select Import XML.
Note: Import XML is selected by default.
-
The Type drop-down box specifies the type of identity provider you are using. Tenable Vulnerability Management supports SAML 2.0 (for example, Okta, OneLogin, etc.).
This option is read-only.
-
Under Import, click Add File.
A file manager window appears.
-
Select the metadata.xml file.
The metadata.xml file is uploaded.
To manually create your SAML configuration using data from the metadata.xml file from your IdP:
-
In the first drop-down box, select Manual Entry.
A SAML configuration form appears.
-
Configure the settings described in the following table:
| Settings |
Description |
| Enabled toggle |
A toggle in the upper-right corner that indicates whether the SAML configuration is enabled or disabled.
By default, the Enable setting is set to Enabled. Click the toggle to disable SAML configuration.
|
| Type
|
Specifies the type of identity provider you are using. Tenable Vulnerability Management supports SAML 2.0 (for example, Okta, OneLogin, etc.).
This option is read-only.
|
| Description
|
A description for the SAML configuration. |
| IdP Entity ID
|
The unique entity ID that your IdP provides.
Note: If you want to configure multiple IdPs for a user account, create a new configuration for each identity provider with separate identity provider URLs, entity IDs, and signing certificates.
|
| IdP URL
|
The SAML URL for your IdP. |
| Certificate
|
Your IdP security certificate or certificates.
Note: Security certificates are found in a metadata.xml file that your identity provider provides. You can copy the content of the file and paste it in the Certificate box.
|
| User Auto Provisioning Enabled
|
A toggle that indicates whether automatic user account creation is enabled or disabled.
|
| IdP Assigns User Role at Provisioning
|
To assign a user role during provisioning, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.
To obtain the UUID for a user role, go to Settings > Access Control > Roles. |
| IdP Resets User Role at Each Login
|
To assign a role each time a user logs in, overwriting the current role with the one chosen in your IdP, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value.
To obtain the UUID for a user role, go to Settings > Access Control > Roles.
|
| Group Management Enabled
|
Enable this toggle to allow the SAML configuration to manage user groups. You must enable this toggle for the Managed by SAML user group option to function successfully. For more information about this option, see Create a Group. |
-
Click Save.
Tenable Vulnerability Management saves your SAML configuration.
What to do next:
-
Download the metadata.xml from Tenable Vulnerability Management using the 
Download SP Metadata option in the SAML Configurations table.
-
Upload this file to the SAML application you created for Tenable Vulnerability Management with your SAML provider.
Tip: If you are having trouble configuring SAML, Tenable recommends trying one of the various third-party SAML debugging tools available online. You can also reach out to Tenable Support for further troubleshooting assistance.