Configuring identity providers and user provisioning in the CMP

Use the Tanium Cloud Management Portal (CMP) to help you configure your identity provider, manage your existing provider configurations, provision users through the SCIM protocol, and view your Tanium instance and entitlement details.

Sign in to the CMP

You can view your existing identity provider configurations or configure new identity providers in the CMP. The Get Started link to access the portal with temporary credentials is provided to you. You can also access the portal by using the following URL:

portal.<customerURL>.cloud.tanium.com

Your temporary credentials are set to expire in seven days. Troubleshooting Tanium Cloud if your temporary credentials are no longer valid.

1. Click Sign in with a local user to sign in to the portal with your temporary credentials.
2. After you sign in for the first time, create a new password and click Next.
3. Set up multi-factor authentication.
   1. Open any authentication app and scan the QR code.
   2. Enter the generated code and click Verify.

To configure, edit, or delete any identity provider configurations, you must sign in to the portal as a local user.

If your CMP session is idle for 15 minutes, you are automatically signed out and must sign in again.

Configure your identity provider

Configure an identity provider for Tanium Console users, and assign administrators for the CMP.

Click Get Started on the Cloud Management Home page, enter a name for the Identity Provider Name, and complete the configuration steps as follows.

Contact Tanium Support for additional help with configuring the identity provider settings for your organization.

Step 1: Configure identity provider settings

1. In the Enter these settings into your IDP step, select either Auto Setup or, if your identity provider does not support uploading the metadata XML file, Manual Setup.

   If your identity provider supports uploading the metadata XML file, select the Auto Setup option for the best results. No manual editing is required, and the download includes the signing certificate for use with identity providers that require it.

2. Apply the settings in your identity provider.

   • If you chose automatic setup, click Download Service Provider Metadata XML file to download the XML file, and then upload it to your identity provider.

   • If you chose manual setup, copy the values for SSO Url, Audience URI/Entity ID, Tanium Console Url, and Logout Url values to manually paste them into your identity provider configuration. For more information about which values to paste into your identity provider configuration, see Reference: Mapping CMP manual setup values with identity provider values. If your identity provider requires the signing certificate, click Download Certificate to obtain a copy of the certificate that you can upload to the identity provider.
     
     

     The IDP Documentation links in the CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Step 2: Configure the attribute for email addresses

In the Identity Provider Attribute Setup step, verify that you have a claim that is configured in your identity provider for the listed http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress claim name with a value of user.mail.

You can edit this value, but the value must match in both the Identity Provider Attribute Setup step of the CMP and your identity provider settings.

(Optional) Step 3: Configure administrative users for the CMP

Users with the Cloud Management Admin role have full write permission in the CMP.

1. In the Cloud Management Portal Roles step, specify the Group Claim Attribute Name that your identity provider uses for group membership.

2. In your identiy provider, configure a group claim value that you want to use to assign users to the Cloud Management Admin role in the CMP.

3. In the Security Group Role Mapping section, enter the group claim value you configured for Cloud Management Admin.

Each identity provider has unique instructions to set up and retrieve the group claim attribute name and value. For example, when you set up a group claim through Azure Active Directory, enter http://schemas.microsoft.com/ws/2008/06/identity/claims/groups for the Group Claim Attribute Name in the CMP, and then use the Object Id of the group in Azure for the Cloud Management Admin in the CMP. Refer to the documentation for your identify provider for information about configuring group claims.

Step 4: Provide identity provider metadata

In the Identity Provider Metadata step, provide metadata using one of the following options.

• Provide the metadata URL from your identity provider and click Test URL.
• Click Upload file to upload the XML file that you downloaded from your identity provider.

Step 5: Configure Tanium Console and CMP access

In the Enable Authentication step, confirm whether you want to allow users from the identity provider access to the Tanium Console, the CMP, or both. You must leave at least one option selected.

Both options are selected by default. If you do not want users to have read-only access to the Cloud Management Portal, clear the Allow for Cloud Management Portal authentication option.

Step 6: Configure allowed domains

In the Specify Login Domain(s) step, add any domains that you want to allow access.

1. Enter a domain and click Add domain.

   Each configured identity provider must be the authoritative source for one or more domains. You cannot have the same domain configured in more than one identity provider.

2. Select whether you want to automatically provision users from that domain by clicking Yes or No.

   If you want to automatically provision users, you must also set the default user group in the Tanium Console. For more information, see Tanium Console User Guide: Set the default user group.

Step 7: Configure automatic sign-out

In the Enable IDP Logout step, select the checkbox if you want to automatically sign out of your identity provider when you sign out of Tanium Cloud.

Step 8: Apply settings and test

Make sure you have configured the necessary settings in your identity provider, and then in the You are now ready to test your IDP step, click Apply Changes. Click Test IDP to make sure that Tanium Cloud can successfully connect to your identity provider.

Edit an existing identity provider configuration

To edit an existing configuration, you must sign in to the portal as a local user.

1. From the Cloud Management Portal menu, click Administration.
   
   
   
   
2. In the Identity Provider Settings section, click Actions next to the configuration that you want to update, and then select Edit IDP Settings.
   
   
   
3. Make any updates, click Apply Changes, and then click Test IDP.

Delete an existing identity provider configuration

To delete an existing configuration, you must sign in to the portal as a local user.

1. From the Cloud Management Portal menu, click Administration.
   
   
   
   
2. In the Identity Provider Settings section, Actions next to the configuration that you want to update, and then select Delete.
   
   
   
3. Click Delete to confirm your action.

The CMP does not delete the Tanium configuration from your third-party identity provider, but that identity provider can no longer be used with Tanium after you delete it in the CMP. To use that identity provider again, Configure your identity provider in the CMP again.

Configure SCIM provisioning

Configure SCIM (System for Cross-Domain Identity Management) if you want to automatically provision identity provider users and user groups into Tanium.

Tanium Cloud supports Microsoft Azure AD and Okta as SCIM providers. Contact Tanium Support if you require support for another SCIM provider.

You must copy the SCIM token to your identity provider within five minutes or until the page is refreshed. Otherwise, the token is hidden until you generate a new one by rotating the token.

Before you begin

Configure your identity provider.

Enable SCIM

Contact Tanium Support for additional help with configuring the identity provider settings for your organization. To contact Tanium Support, sign in to https://support.tanium.com.

1. From the Cloud Management Portal menu, click Administration.
   
   
   
   
2. In the Identity Provider Settings section, click Actions and then select Configure SCIM.
   
   
   
3. Select Enable SCIM and wait for the configuration to complete.
   
   
4. Click Copy to copy the Token and paste it into the identity provider settings for your organization.
5. Click Copy to copy the SCIM API URL and paste it into the identity provider settings for your organization.

Rotate SCIM token

SCIM tokens expire after one year. If you received an email about a SCIM token that is about to expire, you can return to the SCIM configuration in CMP and rotate the token to preserve the connection between your identity provider and Tanium Cloud. These steps also invalidate the previous token.

You must copy the SCIM token to your identity provider within five minutes or until the page is refreshed. Otherwise, the token is hidden until you generate a new one by rotating the token.

1. From the Cloud Management Portal menu, click Administration.
   
   
   
   
2. In the Identity Provider Settings section, click Actions and then select Configure SCIM.
   
   
   
3. Click Rotate Token and then confirm your action.
   
   
4. Click Copy to copy the new Token value and paste it into the identity provider settings for your organization.

Disable SCIM provisioning

1. From the Cloud Management Portal menu, click Administration.
   
   
   
   
2. In the Identity Provider Settings section, click Actions and then select Configure SCIM.
   
   
3. Clear the Enable SCIM checkbox and then confirm your action.