Configuring Azure AD for Tanium Cloud

To use Azure Active Directory (AD) as an identity provider for Tanium Cloud, you must first configure it.

The IDP Documentation links in the CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. From the Azure Services section of the Azure Management Portal (https://portal.azure.com), click Azure Active Directory.
  2. In the Create section, click + Add and then click Enterprise application.
  3. In the Browse Azure AD Gallery (Preview) section, click Create your own application.
  4. In the Create your own application section, enter a name, such as Tanium or Tanium Cloud, for the new application, select Integrate any other application you don't find in the gallery, and then click Create.
  5. In the Getting Started section, click Set up single sign on and then click SAML.
    1. In the Basic SAML Configuration section, click Edit, and then enter the following values from the Cloud Management Portal.

      Identifier (Entity ID): Audience URI/SP Entity ID
      Reply URL (Assertion Consumer Service URL): SSO Url
      Sign on URL: Tanium Console Url
      Logout Url: Logout Url

    2. Leave the Relay State field blank, and then click Save.
    3. To dismiss the Save single sign-on configuration success prompt, click X, and then click X to close the Basic SAML Configuration section.
    4. When you are prompted to test single sign-on, click No, I'll test later.
  6. In the User Attributes & Claims section, click Edit.
    1. Verify that the value for Unique User Identifier (Name ID) is user.userprincipalname.
    2. Verify that the value for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress is user.mail.
    3. If either of the values are incorrect, correct them and then click X to close the User Attributes & Claims section.
  7. In the SAML Signing Certificate section, copy the App Federation Metadata Url to provide to Tanium.

    You can provide the metadata URL in the Identity Provider Metadata step of the Cloud Management Portal identity provider configuration. You can download the certificate and use the downloaded file with the Upload a Metadata File option to provide the Identity Provider Metadata, however the preferred option is to enter the URL to this content. For more information, see Configure your identity provider.

  8. (Optional) From the navigation menu, click Manage > Properties, upload a logo for the application, and then click Save.

Assign the enterprise application to users

From the navigation menu, click Manage > Users and groups, and then click Add user to assign the enterprise application to any users that you want to have access to Tanium Cloud.

You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in the Cloud Management Portal. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.