Configuring AD FS for Tanium Cloud

To use Active Directory Federation Services (AD FS) as an identity provider for Tanium Cloud, you must first configure it.

The IDP Documentation links in the CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. From the AD FS Management Console, go to Actions > AD FS > Add Relying Party Trust....
    1. In the Welcome step, select Claims aware and then click Start.
    2. In the Select Data Source step, select Enter data about the relying party manually and then click Next.
    3. In the Specify Display Name step, enter a name, such as Tanium or Tanium Cloud, and then click Next.
    4. In the Configure Certificate step, click Next. A service-provider certificate is not required for Tanium Cloud.
    5. In the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol, enter the SSO Url value from the CMP, and then click Next.
    6. In the Configure Identifiers step, enter the Audience URI/SP Entity ID value from the CMP, click Add, and then click Next.
    7. In the Choose Access Control step, select an appropriate access control policy for your organization, and then click Next.

      You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in the Cloud Management Portal. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.

    8. In the Ready to Add Trust step, click Next.
    9. In the Finish step, verify that Configure claims issuance policy for this application is selected, and then click Close.

      10. If the Edit Claim Issuance Policy for <applicationDisplayName> window does not appear automatically, right-click Relying Party Trust for <applicationDisplayName>, and then click Edit Claim Issuance Policy....

  2. In the Edit Claim Issuance Policy for <applicationDisplayName> window, click Add Rule... to create the rule to send the e-mail addresses from AD to Tanium Cloud in both the e-mail address and NameID attributes.
    1. Enter a Claim rule name, such as Send E-mail Addresses.
    2. From the Attribute store drop-down menu, select Active Directory.
    3. In the first row of Mapping of LDAP attributes to outgoing claim types, select User-Principal-Name for the LDAP Attribute column and E-Mail Address for the Outgoing Claim Type column.
    4. In the second row of Mapping of LDAP attributes to outgoing claim types, select User-Principal-Name for the LDAP Attribute column and Name ID for the Outgoing Claim Type column.
    5. Click OK to save the rule and close the window.
    6. Click OK to save the claim issuance policy and close the window.
  3. Replace <yourADFSServer> in the following URL with your AD FS server/farm name and then provide the XML file to Tanium.
    https://<yourADFSServer>/FederationMetadata/2007-06/FederationMetadata.xml

Amazon Cognito, which is used for identity federation with Tanium Cloud, does not support IDP-initiated SSO. To sign in to Tanium Cloud, you must first access your Tanium Cloud Console URL from the Cloud Management Portal. You cannot sign in from the AD FS IDP Initiated SSO page.

Configure the CMP to allow UPN suffixes

To allow sign-ins from AD FS, you must add the UPN suffixes of users and user groups to the CMP.

  1. Retrieve the UPN suffixes from the AD FS Management Console.
    1. From the AD FS Management Console, go to Active Domain and Trusts.
    2. Right-click Active Directory Domains and Trusts <FQDC> and select Properties.

    3. From the UPN Suffixes tab, note the suffixes to add to the CMP.
  2. Add the UPN suffixes to the CMP.
    1. Sign in to the CMP. For information, see Sign in to the CMP.
    2. From the Cloud Management Home page, click Update Settings.
    3. In the Identify Provider Settings section, find the row for the AD FS identity provider. Click Options and select Edit IDP Settings.
    4. Navigate to the Specify Login Domain(s) step. For each UPN suffix, perform the following steps:
      1. Enter the UPN suffix and click Add domain.

        Each configured identity provider must be the authoritative source for one or more domains. You cannot have the same domain configured in more than one identity provider.

      2. Set Auto-Provision Users to No.
    5. In the You are now ready to test your IDP step, click Apply Changes.

      Click Test IDP to make sure that Tanium Cloud can successfully connect to your identity provider.

    6. When finished, click Close.