Configuring identity providers and user provisioning in the CMP

Use the Tanium Cloud Management Portal (CMP) to help you configure your identity provider, manage your existing provider configurations, provision users through the SCIM protocol, and view your Tanium instance and entitlement details.

Sign in to the CMP

You can view your existing identity provider configurations or configure new identity providers in the CMP. The Get Started link to access the portal with temporary credentials is provided to you. You can also access the portal by using the following URL:

portal.<customerURL>.cloud.tanium.com

Your temporary credentials are set to expire in seven days. Troubleshooting Tanium Cloud if your temporary credentials are no longer valid.

  1. Click Sign in with a local user to sign in to the portal with your temporary credentials.
  2. After you sign in for the first time, create a new password and click Next.
  3. Set up multi-factor authentication.
    1. Open any authentication app and scan the QR code.
    2. Enter the generated code and click Verify.

To configure, edit, or delete any identity provider configurations, you must sign in to the portal as a local user.

If your CMP session is idle for 15 minutes, you are automatically signed out and must sign in again.

Configure your identity provider

If your identity provider supports uploading the metadata XML file, select the Auto Setup option for the best results. No manual editing is required.

  1. From the Cloud Management Home page, click Get Started and enter a name. for the Identity Provider Name.
  2. In the Enter these settings into your IDP step, select either Auto Setup or Manual Setup.

    Some identity providers require a signing certificate to enable automatic IDP sign-off. Select Auto Setup to obtain the signing certificate automatically. If you select Manual Setup, you must download the signing certificate and then upload the certificate to your identify provider.

    • If you chose the automatic setup, click Download Service Provider Metadata XML file to download the XML file and upload it to your identity provider.
    • If you chose the manual setup, copy the values for SSO Url, Audience URI/Entity ID, Tanium Console Url, and Logout Url values to manually paste them into your identity provider configuration. If your identity provider requires the signing certificate, click Download Certificate to obtain a copy of the certificate that you can upload to the identity provider.


    If your identity provider does not support uploading the metadata XML file, you must select Manual Setup. For more information about which values to paste into your identity provider configuration, see Reference: Mapping CMP manual setup values with identity provider values.

    The IDP Documentation links in the CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

  3. In the Identity Provider Attribute Setup step, verify that you have a claim that is configured in your identity provider for the listed http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim name with a value of user.mail.

    You can edit this value, but the value must match in both the Identity Provider Attribute Setup step of the CMP and your identity provider settings.

  4. (Optional) In the Cloud Management Portal Roles step, you can specify a group (custom) claim setup to assign users to a Cloud Management Admin role in the CMP. To do so, you need the group claim attribute name and value that you must configure in your identity provider.

    Users with the Cloud Management Admin role have full write permission in the CMP.

    Each identity provider has unique instructions to set up and retrieve the group claim attribute name and value. For example, when you set up a group claim through Azure Active Directory, use the Name of the group claim in Azure for the Group Claim Attribute Name in the CMP, and then use the Object Id of the group in Azure for the Cloud Management Admin in the CMP. Refer to the documentation for your identify provider for information about configuring group claims.

    Contact Tanium Support for additional help with configuring the identity provider settings for your organization. To contact Tanium Support, sign in to https://support.tanium.com.

  5. In the Identity Provider Metadata step, validate by using one of the following options.
    • Provide the metadata URL from your identity provider and click Test URL.
    • Click Upload file to upload the downloaded XML file from your identity provider.
  6. In the Enable Authentication step, confirm whether you want to allow authentication to the Tanium Console, the CMP, or both.

    Both options are selected by default. If you do not want users to have read-only access to the Cloud Management Portal, clear the Allow for Cloud Management Portal authentication option. You must leave at least one option selected.

  7. In the Specify Login Domain(s) step, add any domains that you want to allow access.
    1. Enter a domain and click Add domain.

      Each configured identity provider must be the authoritative source for one or more domains. You cannot have the same domain configured in more than one identity provider.

    2. Select whether you want to automatically provision users from that domain by clicking Yes or No.

      If you want to automatically provision users, you must also set the default user group in the Tanium Console. For more information, see Tanium Console User Guide: Set the default user group.

  8. In the Enable IDP Logout step, select the checkbox if you want to automatically sign out of your identity provider when you sign out of Tanium Cloud.
  9. In the You are now ready to test your IDP step, click Apply Changes.

    Click Test IDP to make sure that Tanium Cloud can successfully connect to your identity provider.

Edit an existing identity provider configuration

To edit an existing configuration, you must sign in to the portal as a local user.

  1. From the Cloud Management Portal menu, click Administration.



  2. In the Identity Provider Settings section, click Actions next to the configuration that you want to update, and then select Edit IDP Settings.


  3. Make any updates, click Apply Changes, and then click Test IDP.

Delete an existing identity provider configuration

To delete an existing configuration, you must sign in to the portal as a local user.

  1. From the Cloud Management Portal menu, click Administration.



  2. In the Identity Provider Settings section, Actions next to the configuration that you want to update, and then select Delete.


  3. Click Delete to confirm your action.

The CMP does not delete the Tanium configuration from your third-party identity provider, but that identity provider can no longer be used with Tanium after you delete it in the CMP. To use that identity provider again, Configure your identity provider in the CMP again.

Configure SCIM provisioning

Configure SCIM (System for Cross-Domain Identity Management) if you want to automatically provision identity provider users and user groups into Tanium.

Tanium Cloud supports Microsoft Azure AD and Okta as SCIM providers. Contact Tanium Support if you require support for another SCIM provider.

You must copy the SCIM token to your identity provider within five minutes or until the page is refreshed. Otherwise, the token is hidden until you generate a new one by rotating the token.

Before you begin

Configure your identity provider.

Enable SCIM

Contact Tanium Support for additional help with configuring the identity provider settings for your organization. To contact Tanium Support, sign in to https://support.tanium.com.

  1. From the Cloud Management Portal menu, click Administration.



  2. In the Identity Provider Settings section, click Actions and then select Configure SCIM.


  3. Select Enable SCIM and wait for the configuration to complete.

  4. Click Copy to copy the Token and paste it into the identity provider settings for your organization.
  5. Click Copy to copy the SCIM API URL and paste it into the identity provider settings for your organization.

Rotate SCIM token

SCIM tokens expire after one year. If you received an email about a SCIM token that is about to expire, you can return to the SCIM configuration in CMP and rotate the token to preserve the connection between your identity provider and Tanium Cloud. These steps also invalidate the previous token.

You must copy the SCIM token to your identity provider within five minutes or until the page is refreshed. Otherwise, the token is hidden until you generate a new one by rotating the token.

  1. From the Cloud Management Portal menu, click Administration.



  2. In the Identity Provider Settings section, click Actions and then select Configure SCIM.


  3. Click Rotate Token and then confirm your action.

  4. Click Copy to copy the new Token value and paste it into the identity provider settings for your organization.

Disable SCIM provisioning

  1. From the Cloud Management Portal menu, click Administration.



  2. In the Identity Provider Settings section, click Actions and then select Configure SCIM.

  3. Clear the Enable SCIM checkbox and then confirm your action.