Configuring identity providers in the CMP

You can use the Tanium Cloud Management Portal (CMP) to help you configure your identity provider, manage your existing provider configurations, and view your Tanium instance and entitlement details.

Sign in to the CMP

You can view your existing identity provider configurations or configure new identity providers in the CMP. The Get Started link to access the portal with temporary credentials is provided to you. You can also access the portal by using the following URL:

portal.<customerURL>.cloud.tanium.com

Your temporary credentials are set to expire in seven days. Reset CMP password if your temporary credentials are no longer valid.

  1. Click Sign in with a local user to sign in to the portal with your temporary credentials.
  2. After you sign in for the first time, create a new password and click Next.
  3. Set up multi-factor authentication.
    1. Open any authentication app and scan the QR code.
    2. Enter the generated code and click Verify.

To configure, edit, or delete any identity provider configurations, you must sign in to the portal as a local user.

If your CMP session is idle for 15 minutes, you are automatically signed out and must sign in again.

Configure your identity provider

If your identity provider supports uploading the metadata XML file, select the Auto Setup option for the best results. No manual editing is required.

  1. From the Cloud Management Home page, click Get Started and provide a name.
  2. In the Enter these settings into your IDP step, select either Auto Setup or Manual Setup.
    • If you chose the automatic setup, click Download Service Provider Metadata XML file to download the XML file and upload it to your identity provider.
    • If you chose the manual setup, copy the values for SSO Url, Audience URI/Entity ID, Tanium Console Url, and Logout Url values to manually paste them into your identity provider configuration.

    If your identity provider does not support uploading the metadata XML file, you must select Manual Setup. For more information about which values to paste into your identity provider configuration, see Reference: Mapping CMP manual setup values with identity provider values.

    The IDP Documentation links in the CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

  3. In the Identity Provider Attribute Setup step, verify that you have a claim that is configured in your identity provider for the listed http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim name with a value of user.mail.

    You can edit this value, but the value must match in both the Identity Provider Attribute Setup step of the CMP and your identity provider settings.

  4. In the Identity Provider Metadata step, validate by using one of the following options.
    • Provide the metadata URL from your identity provider and click Test URL.
    • Click Upload file to upload the downloaded XML file from your identity provider.
  5. In the Enable Authentication step, confirm whether you want to allow authentication to the Tanium Console, the CMP, or both.

    Both options are selected by default. If you do not want users to have read-only access to the Cloud Management Portal, clear the Allow for Cloud Management Portal authentication option. You must leave at least one option selected.

  6. In the Specify Login Domain(s) step, add any domains that you want to allow access.
    1. Enter a domain and click Add domain.

      Each configured identity provider must be the authoritative source for one or more domains. You cannot have the same domain configured in more than one identity provider.

    2. Select whether you want to automatically provision users from that domain by clicking Yes or No.

      If you want to automatically provision users, you must also set the default user group in the Tanium Console. For more information, see Tanium Console User Guide: Set the default user group.

  7. In the You are now ready to test your IDP step, click Apply Changes.

    Click Test IDP to make sure that Tanium Cloud can successfully connect to your identity provider.

Edit an existing identity provider configuration

To edit an existing configuration, you must sign in to the portal as a local user.

  1. From the Cloud Management Portal menu, click Administration.
  2. In the Identity Provider Settings section, click Edit next to the configuration that you want to update.
  3. Make any updates, click Apply Changes, and then click Test Login.

Delete an existing identity provider configuration

To delete an existing configuration, you must sign in to the portal as a local user.

  1. From the Cloud Management Portal menu, click Administration.
  2. In the Identity Provider Settings section, click Delete next to the configuration that you want to delete.

The CMP does not delete the Tanium configuration from your third-party identity provider, but that identity provider can no longer be used with Tanium after you delete it in the CMP. To use that identity provider again, Configure your identity provider in the CMP again.