Manage SAML Configurations

Required User Role: Administrator

In Tenable Vulnerability Management, you can manage your SAML configurations in the following ways:

Tip: Review the Tenable SAML Configuration Quick Reference Guide for a step-by-step guide of how to configure SAML for use with Tenable Vulnerability Management.

Add a SAML Configuration

You can manually enter the details for your SAML configuration or you can upload a metadata.xml file that you download from your identity provider (IdP).

Note: Once SAML is configured for a user, they must log in using the IdP Tile or the URL provided in the SP metadata file (for example, cloud.tenable.com/SAML/XXXXXX) and log back out before they can access the Sign in via SSO link on the Tenable Vulnerability Management login page.

Important: Because Tenable Vulnerability Management cannot accept private keys to decrypt SAML assertions, Tenable Vulnerability Management does not support SAML assertion encryption. If you want to configure SAML authentication in Tenable Vulnerability Management, choose an identity provider that does not require assertion encryption and confirm that assertion encryption is not enabled.

Before you begin:

Review the Tenable SAML Configuration Quick-Reference guide for a step-by-step guide of how to configure SAML for use with Tenable Vulnerability Management. This includes the following high-level steps:

Follow the steps described in your IdP's documentation to set up a SAML application for Tenable Vulnerability Management on your IdP account. Your IdP requires an entity ID and a reply URL for Tenable Vulnerability Management to set up the SAML application:
- Entity ID/Audience URI— TENABLE_IO_PLACEHOLDER.
- ACS/SSO URL/Login URL/Reply URL— https://cloud.tenable.com/SAML/login/placeholder.com.
In your IdP account, download your metadata.xml file.

Note: Tenable does not currently support a SP-Initiated SAML flow. Because it must be initiated from the Identity Provider side, navigating directly to https://cloud.tenable.com does not allow SSO.

Important! All users must have an account configured in Tenable Vulnerability Management that matches their SSO login. You must ensure the SSO login matches the FULL Tenable account name (i.e., [email protected]).

To add a new SAML configuration:

Access the SAML page.
In the action bar, click Create.

The SAML Settings page appears.

Do one of the following:

To provide configuration details by uploading the metadata.xml file from your IdP:
1. In the first drop-down box, select Import XML.
  
  Note: Import XML is selected by default.
2. The Type drop-down box specifies the type of identity provider you are using. Tenable Vulnerability Management supports SAML 2.0 (for example, Okta, OneLogin, etc.).
  This option is read-only.
3. Under Import, click Add File.
  
  A file manager window appears.
4. Select the metadata.xml file.
  
  The metadata.xml file is uploaded.

To manually create your SAML configuration using data from the metadata.xml file from your IdP:

In the first drop-down box, select Manual Entry.

A SAML configuration form appears.

Configure the settings described in the following table:

Settings	Description
Enabled toggle	A toggle in the upper-right corner that indicates whether the SAML configuration is enabled or disabled. By default, the Enable setting is set to Enabled. Click the toggle to disable SAML configuration.
Type	Specifies the type of identity provider you are using. Tenable Vulnerability Management supports SAML 2.0 (for example, Okta, OneLogin, etc.). This option is read-only.
Description	A description for the SAML configuration.
IdP Entity ID	The unique entity ID that your IdP provides. Note: If you want to configure multiple IdPs for a user account, create a new configuration for each identity provider with separate identity provider URLs, entity IDs, and signing certificates.
IdP URL	The SAML URL for your IdP.
Certificate	Your IdP security certificate or certificates. Note: Security certificates are found in a metadata.xml file that your identity provider provides. You can copy the content of the file and paste it in the Certificate box.
Authentication Request Signing Enabled	A toggle that indicates whether authentication request signing is enabled. When this toggle is enabled, if: a user is logged in via SAML and their session expires a user logs out and tries to log back in directly via the Tenable Vulnerability Management interface rather than their IdP Tenable Vulnerability Management automatically signs the SAML authentication request that is sent to the IdP to log the user back in. Note: The authentication request can only be validated if the IdP is also configured to accept this setting. For more information, see the following resources: Tenable SAML Quick Reference Guide Manage Signing Certificates in Okta Enforce Signed SAML Authentication Requests in Microsoft Entra ID Edit a SAML Application in Ping Identity (Enforce Signed AuthnRequest option)
User Auto Provisioning Enabled	A toggle that indicates whether automatic user account creation is enabled or disabled.
IdP Assigns User Role at Provisioning	To assign a user role during provisioning, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value. To obtain the UUID for a user role, go to Settings > Access Control > Roles. Note: To access this option, you must first enable the User Autoprovisioning Enabled option.
IdP Resets User Role at Each Login	To assign a role each time a user logs in, overwriting the current role with the one chosen in your IdP, enable this toggle. In your SAML identity provider, add an attribute statement with userRoleUuid as the attribute name and the user role UUID as the attribute value. To obtain the UUID for a user role, go to Settings > Access Control > Roles.
Group Management Enabled	Enable this toggle to allow the SAML configuration to manage user groups. You must enable this toggle for the Managed by SAML user group option to function successfully. For more information about this option, see Create a Group.

Click Save.

Tenable Vulnerability Management saves your SAML configuration.

What to do next:

Download the metadata.xml from Tenable Vulnerability Management using the Download SP Metadata option in the SAML Configurations table.
Upload this file to the SAML application you created for Tenable Vulnerability Management with your SAML provider.

Tip: If you are having trouble configuring SAML, Tenable recommends trying one of the various third-party SAML debugging tools available online. You can also reach out to Tenable Support for further troubleshooting assistance.

Edit a SAML Configuration

Important: To avoid locking yourself out, ensure you have at least one admin user with access before updating SAML configurations. For example, if you disable the SAML configuration for your only admin user, you can no longer access and manage your application.

To edit a SAML configuration:

On the SAML page, in the table, click the SAML configuration that you want to edit.

The SAML Settings page appears.
(Optional) In the first drop-down box, select a different method to provide basic configuration details.
- Import XML — Configure SAML authentication by uploading the metadata file your IdP provided, as described in Add a SAML Configuration.
- Manual Entry — Configure SAML authentication by manually configuring SAML options using data from the metadata.xml file your IdP provided, as described in Add a SAML Configuration.
Tenable Vulnerability Management updates the configuration options based on your selected source.
Update any of the configurable SAML settings.

Note: Some settings are read-only and cannot be modified.

Note: The configuration options you can update depend on the source you select in the first drop-down box.
Click Save.

Tenable Vulnerability Management saves the configuration. The SAML page appears with the updated configuration.

Disable a SAML Configuration

Disabling a SAML configuration prevents users on your instance from using the SAML credentials in the configurations to log in to Tenable Vulnerability Management. You can enable a disabled SAML configuration as described in Enable a SAML Configuration.

Caution: When you disable a SAML configuration, users can no longer log in to Tenable Vulnerability Management using their SAML credentials. Make sure all users on your instance have an alternative method to log in to Tenable Vulnerability Management before you disable a SAML configuration.

To disable a SAML configuration:

On the SAML page, in the table, click the SAML configuration that you want to disable.

The SAML Settings page appears.
At the bottom of the page, click the SAML Enable toggle to disable the configuration.
Click Save.

Tenable Vulnerability Management disables the SAML configuration. On the SAML page, the disabled configuration appears in light gray.

Enable a SAML Configuration

On the SAML page, you can enable a disabled a SAML configuration.

Before you Begin:

Configure your IdP to authenticate with Tenable Vulnerability Management. For more information, see the Tenable SAML Configuration Quick Reference Guide.

To enable a disabled SAML configuration:

On the SAML page, in the table, click the SAML configuration that you want to enable.

Tip: Disabled configurations appear in light gray.

The SAML Settings page appears.
At the bottom of the page, click the SAML Enable toggle to enable the configuration.
Click Save.

Tenable Vulnerability Management enables the SAML configuration. On the SAML page, the enabled configuration appears in black.

Enable Automatic Account Provisioning

When you manually configure or edit a SAML configuration, you can enable automatic user account provisioning. Automatic account provisioning allows users with credentials for the IdP named in the SAML configuration to create a Tenable Vulnerability Management account the first time they log in via the IdP.

Tenable Vulnerability Management creates automatically provisioned accounts with the following defaults:

Full name — NameID
Username — NameID
Email — NameID
User role — Basic

Tenable Vulnerability Management does not currently support any other claim types.

Before you Begin:

Configure your IdP to authenticate with Tenable Vulnerability Management. For more information, see the Tenable SAML Configuration Quick Reference Guide.

To enable automatic user account provisioning:

On the SAML page, in the table, click the SAML configuration for which you want to enable automatic account provisioning.

The SAML Settings page appears.
At the bottom of the page, click the User Autoprovisioning Enabled toggle to enable automatic account provisioning.
Click Save.

Tenable Vulnerability Management enables automatic account provisioning in the SAML configuration.

Disable Automatic Account Provisioning

Disabling automatic account provisioning prevents users from automatically creating Tenable Vulnerability Management account the first time they access the platform via their IdP. You can enable automatic account provisioning on a SAML configuration, as described in Enable Automatic Account Provisioning.

To disable automatic user account provisioning:

On the SAML page, in the table, click the SAML configuration for which you want to disable automatic account provisioning.
The SAML Settings page appears.
At the bottom of the page, click the User Autoprovisioning Enabled toggle to disable automatic account provisioning.
Click Save.

Tenable Vulnerability Management disables automatic account provisioning in the SAML configuration.

Delete a SAML Configuration

You can delete a SAML configuration on the SAML page.

Before you begin:

Disable the SAML configuration you want to delete.

To delete a SAML configuration:

On the SAML page, in the table, select the check box for the SAML configuration that you want to delete.
In the action bar, click the Delete button.

Tenable Vulnerability Management deletes the SAML configuration.

Note: Ensure that when you delete a SAML configuration, you also remove the related configuration in your IdP.

What to do next:

Remove the related configuration from your identity provider's application.