Configuring your identity provider for Tanium Cloud

To use a supported identity provider with Tanium Cloud, you must first configure it.

Configuring Entra ID for Tanium Cloud

Microsoft Entra ID was previously known as Microsoft Azure Active Directory or Microsoft Azure AD.

The IDP Documentation links in CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. From the Azure Services section of the Azure Management Portal (https://portal.azure.com), click Azure Active Directory or Entra ID.

  2. In the Create section, click + Add and then click Enterprise application.
  3. In the Browse Entra ID Gallery (Preview) section, click Create your own application.
  4. In the Create your own application section, enter a name, such as Tanium or Tanium Cloud, for the new application, select Integrate any other application you don't find in the gallery, and then click Create.
  5. In the Getting Started section, click Set up single sign on and then click SAML.
    1. In the Basic SAML Configuration section, click Edit, and then enter the following values from Cloud Management Portal.

      Identifier (Entity ID): Audience URI/SP Entity ID
      Reply URL (Assertion Consumer Service URL): SSO Url
      Sign on URL: Tanium Console Url
      Logout Url: Logout Url

    2. Leave the Relay State field blank, and then click Save.
    3. To dismiss the Save single sign-on configuration success prompt, click X, and then click X to close the Basic SAML Configuration section.
    4. When prompted to test single sign-on, click No, I'll test later.
  6. In the Attributes & Claims section, click Edit.
    1. Verify that the value for Unique User Identifier (Name ID) is user.userprincipalname.
    2. Verify that the value for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress is user.mail.
    3. If either of the values are incorrect, correct them and then click X to close the User Attributes & Claims section.
  7. In the SAML Certificates > Token signing certificate section, copy the App Federation Metadata Url to provide to Tanium.

    You can provide the metadata URL in the Identity Provider Metadata step of the Cloud Management Portal identity provider configuration. You can download the certificate and use the downloaded file with the Upload a Metadata File option to provide the Identity Provider Metadata, however the preferred option is to enter the URL to this content. For more information, see Configure your identity provider.

  8. (Optional) From the navigation menu, click Manage > Properties, upload a logo for the application, and then click Save.

Assign the enterprise application to users

From the navigation menu, click Manage > Users and groups, and then click Add user to assign the enterprise application to any users that you want to have access to Tanium Cloud.

You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in Cloud Management Portal. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.

Configuring Okta for Tanium Cloud

The IDP Documentation links in CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. In the Okta portal, click Admin to open the Okta Admin Console.
  2. From the Main menu, click Applications, and then click Create App Integration.
  3. Select SAML 2.0, and then click Next.
  4. Configure general settings.
    1. Enter a name, such as Tanium or Tanium Cloud.
    2. (Optional) Upload a logo.
    3. Verify that Do not display application icon to users and Do not display application icon in the Okta Mobile app are selected and then click Next.
    4. In the GENERAL section, enter the following values from Cloud Management Portal.

      Single sign on URL: SSO Url
      Audience URI (SP Entity ID): Audience URI/SP Entity ID

    5. In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the following values, and then click Next.

      Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      Value: user.email

    6. In the Feedback section, select I'm an Okta customer adding an internal app, provide any additional responses, and click Finish.
  5. In the SAML Signing Certificates section of the Sign On tab of the application, select Actions > View IdP Metadata for the active SAML signing certificate, and copy the address from the address bar of the web browser to provide the metadata URL to Tanium.



    6. You can provide the metadata URL in the Identity Provider Metadata step of the Cloud Management Portal identity provider configuration. You can download the certificate and use the downloaded file with the Upload a Metadata File option to provide the Identity Provider Metadata, however the preferred option is to enter the URL to this content. For more information, see Configure your identity provider.

Assign the application to users

From the Assignments tab of the application, click Assign to assign the application to any users that you want to have access to Tanium Cloud.

You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in Cloud Management Portal. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.

(Optional) Create a bookmark application for Tanium Cloud

Tanium Cloud uses Amazon Cognito user pools, which does not currently support identity provider initiated sign-on. To work around this limitation, you can create a Bookmark App. For more information, see Okta Documentation: Simulating an IdP-initiated Flow with the Bookmark App.

  1. From the Okta Admin Console, go to Shortcuts > Add Applications.
  2. Search for bookmark and then select Bookmark App in INTEGRATIONS.
  3. In the Bookmark App section, click Add.
  4. In the General Settings • Required section, enter the following values, and then click Done.

    Application label: descriptive name such as Tanium or Tanium Cloud
    URL: the Tanium Console Url from Cloud Management Portal

  5. (Optional) Edit the template logo to provide a more appropriate logo. This application is visible to users.
  6. Click the Assignments tab to assign the bookmark app to any users that you want to have access to the bookmark app.

    You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in Cloud Management Portal.

Use groups to assign access to Tanium Cloud and assign both the SAML integration application and the Bookmark App to that group to ensure that all users receive both applications.

Configuring AD FS for Tanium Cloud

The IDP Documentation links in CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. From the AD FS Management Console, go to Actions > AD FS > Add Relying Party Trust....
    1. In the Welcome step, select Claims aware and then click Start.
    2. In the Select Data Source step, select Enter data about the relying party manually and then click Next.
    3. In the Specify Display Name step, enter a name, such as Tanium or Tanium Cloud, and then click Next.
    4. In the Configure Certificate step, click Next. A service-provider certificate is not required for Tanium Cloud.
    5. In the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol, enter the SSO Url value from CMP, and then click Next.
    6. In the Configure Identifiers step, enter the Audience URI/SP Entity ID value from CMP, click Add, and then click Next.
    7. In the Choose Access Control step, select an appropriate access control policy for your organization, and then click Next.

      You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in Cloud Management Portal. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.

    8. In the Ready to Add Trust step, click Next.
    9. In the Finish step, verify that Configure claims issuance policy for this application is selected, and then click Close.

      10. If the Edit Claim Issuance Policy for <applicationDisplayName> window does not appear automatically, right-click Relying Party Trust for <applicationDisplayName>, and then click Edit Claim Issuance Policy....

  2. In the Edit Claim Issuance Policy for <applicationDisplayName> window, click Add Rule... to create the rule to send the e-mail addresses from AD to Tanium Cloud in both the e-mail address and NameID attributes.
    1. Enter a Claim rule name, such as Send E-mail Addresses.
    2. From the Attribute store drop-down menu, select Active Directory.
    3. In the first row of Mapping of LDAP attributes to outgoing claim types, select User-Principal-Name for the LDAP Attribute column and E-Mail Address for the Outgoing Claim Type column.
    4. In the second row of Mapping of LDAP attributes to outgoing claim types, select User-Principal-Name for the LDAP Attribute column and Name ID for the Outgoing Claim Type column.
    5. Click OK to save the rule and close the window.
    6. Click OK to save the claim issuance policy and close the window.
  3. Replace <yourADFSServer> in the following URL with your AD FS server/farm name and then provide the XML file to Tanium.
    https://<yourADFSServer>/FederationMetadata/2007-06/FederationMetadata.xml

Amazon Cognito, which is used for identity federation with Tanium Cloud, does not support IDP-initiated SSO. To sign in to Tanium Cloud, you must first access your Tanium Cloud Console URL from Cloud Management Portal. You cannot sign in from the AD FS IDP Initiated SSO page.

Configure CMP to allow UPN suffixes

To allow sign-ins from AD FS, you must add the UPN suffixes of users and user groups to CMP.

  1. Retrieve the UPN suffixes from the AD FS Management Console.
    1. From the AD FS Management Console, go to Active Domain and Trusts.
    2. Right-click Active Directory Domains and Trusts <FQDC> and select Properties.

    3. From the UPN Suffixes tab, note the suffixes to add to CMP.
  2. Add the UPN suffixes to CMP.
    1. Sign in to CMP. For information, see Sign in to CMP for the first time.
    2. From the Cloud Management Home page, click Update Settings.
    3. In the Identify Provider Settings section, find the row for the AD FS identity provider. Click Options and select Edit IDP Settings.
    4. Navigate to the Specify Login Domain(s) step. For each UPN suffix, perform the following steps:
      1. Enter the UPN suffix and click Add domain.

        Each configured identity provider must be the authoritative source for one or more domains. You cannot have the same domain configured in more than one identity provider.

      2. Set Auto-Provision Users to No.
    5. In the You are now ready to test your IDP step, click Apply Changes.

      Click Test IDP to make sure that Tanium Cloud can successfully connect to your identity provider.

    6. When finished, click Close.

Configuring Oracle Identity Cloud Service for Tanium Cloud

The IDP Documentation links in CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. From the Oracle Identity Cloud Service Admin Console Dashboard, click Applications and then click + Add.
  2. In the Add Application section, click SAML Application.
  3. Configure the Details step.
    1. In the App Details section, enter a name, such as Tanium or Tanium Cloud, for the new application, and upload an optional application icon.

    2. In the Display Settings section, verify that Display in My Apps is cleared, and then click Next.

      Amazon Cognito, which is used for identity federation with Tanium Cloud, does not support IDP-initiated SSO. To sign in to Tanium Cloud, you must first access your Tanium Cloud Console URL from CMP.

  4. Configure the SSO Configuration step.
    1. In the General section, enter the following values from CMP.

      Entity ID: Audience URI/SP Entity ID
      Assertion Consumer URL: SSO Url
      NameID Format: Email address
      NameID Value: Primary Email

    2. In the Advanced Settings section, select Enable Single Logout, and then configure the following settings.

      Logout binding: Redirect
      Single Logout URL: Logout Url
      Logout Response URL: Logout Url

    3. In the Attribute Configuration section, click + to add the following attribute.

      Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      Value: Primary E-mail Address

    4. Click Download Identity Provider Metadata and then provide the downloaded file to Tanium.

      You can upload the metadata file in the Identity Provider Metadata step of the CMP identity provider configuration. For more information, see Configure your identity provider.

    5. Click Finish.

Assign the enterprise application to users

From the application view, click Activate to assign the enterprise application to any users that you want to have access to Tanium Cloud.

You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in CMP. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.

Configuring PingFederate for Tanium Cloud

Create a SAML application

  1. Sign in to PingFederate and go to the admin console.
  2. From the MAIN menu, click Identity Provider and then click Create New in the SP CONNECTIONS section.
  3. In the Connection Type tab, select BROWSER SSO PROFILES and then click Next.
  4. In the Connection Options tab, select BROWSER SSO and then click Next.
  5. In the Import Metadata tab, select NONE and then click Next.
  6. In the Metadata Summary tab, click Next.
  7. In the General Info tab, click Next.
  8. In the Browser SSO tab, click Configure Browser SSO.


Configure Browser SSO

  1. In the SAML Profiles tab, select IDP-INITIATED SSO and SP-INITIATED SSO for both Single Sign-On (SSO) Profiles and Single Logout (SLO) Profiles, and then click Next.
  2. In the Assertion Lifetime tab, click Next.
  3. In the Assertion Creation tab, click Configure Assertion Creation.
    1. In the Identity Mapping tab, select STANDARD and then click Next.
    2. In the Attribute Contract tab, configure the following values and then click Next.

      SAML_SUBJECT: Select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from the Subject Name Format drop-down list.
      Extend the Contract: Enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the text field, select urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified, and then click Add.

    3. In the Authentication Source Mapping tab, click Map New Adapter Instance.
      1. In the Adapter Instance tab, select an existing adapter that includes the user's e-mail address and then click Next.
      2. In the Mapping Method tab, select USE ONLY THE ADAPTER CONTRACT VALUES IN THE SAML ASSERTION and then click Next.
      3. In the Attribute Contract Fulfillment tab, select email from the Value drop-down list for both SAML_SUBJECT and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress that you previously added, and then click Next.
      4. In the Issuance Criteria tab, configure any criteria and then click Next.
      5. In the Summary tab, click Done.
    4. In the Authentication Source Mapping tab, click Next.
    5. In the Summary tab, click Done.
    6. In the Assertion Creation tab, click Next.
  4. In the Protocol Settings tab, click Configure Protocol Settings.
    1. In the Assertion Consumer Service URL tab, verify that the Endpoint URL ending in /saml2/idpresponse is present and then click Next.
    2. In the SLO Service URLs tab, verify that the Endpoint URL ending in /saml2/logout is present and then click Next.
    3. In the Allowable SAML Bindings tab, verify that only POST and REDIRECT are selected, and then click Next.
    4. In the Signature Policy tab, verify that only ALWAYS SIGN ASSERTION is selected and then click Next.
    5. In the Encryption Policy tab, verify that NONE is selected and then click Next.
    6. In the Summary tab, click Done.
    7. In the Protocol Settings tab, click Next.
  5. In the Summary tab, click Done.
  6. In the Browser SSO tab, click Next.
  7. In the Credentials tab, click Configure Credentials.

Configure Credentials

  1. In the Digital Signature Settings tab, select the appropriate signing certificate, confirm that RSA SHA256 is selected as the signing algorithm, and then click Next.
  2. In the Signature Verification Settings tab, click Manage Signature Verification Settings.
    1. In the Trust Model tab, verify that UNANCHORED is selected and then click Next.
    2. In the Signature Verification Certificate tab, select the appropriate certificate and then click Next.

      If a certificate is not present in the drop-down list, extract it from the metadata, add the PEM header and footer, and import it manually.

    3. In the Summary tab, click Done.
    4. In the Signature Verification Settings tab, click Next.
  3. In the Summary tab, click Done.
  4. In the Credentials tab, click Next.
  5. In the Activation & Summary tab, click Save.

Configuring Google Cloud Identity for Tanium Cloud

The IDP Documentation links in CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. From the Google Admin Console (https://admin.google.com/), click Apps.
  2. Click SAML Apps and then click + to add a new app.
  3. In the Basic Information for your Custom App step, enter a name, such as Tanium or Tanium Cloud, for the new application, optionally upload a logo, and then click Next.
  4. In the Enable SSO for SAML Application step, click SETUP MY OWN CUSTOM APP.
    1. In the Google IdP Information step, click DOWNLOAD in the Option 2 section, provide the downloaded file to Tanium, and then click Next.





      You can upload the metadata file in the Identity Provider Metadata step of the CMP identity provider configuration. For more information, see Configure your identity provider.

    2. In the Service Provider Details step, enter the following values from CMP and then click Next.

      ACS URL: SSO Url
      Entity IR: Audience URI/SP Entity ID
      Start URL: Tanium Console Url

    3. In the Attribute Mapping step, enter the following values and then click Finish.

      Enter the application attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      Select category: Basic Information
      Select user field: Primary Email

Assign the enterprise application to users

  1. In the User access section of Service Status, click the expander icon to assign the enterprise application to any users that you want to have access to Tanium Cloud.
  2. Configure an appropriate user access policy for Tanium for your organization.

    You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in CMP. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.

Configuring Salesforce for Tanium Cloud

The IDP Documentation links in CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. Sign in to Salesforce and click Setup.
  2. In the Quick Find text box, enter Identity Provider.
  3. In the Identity Provider Setup section, click Download Metadata and then provide the downloaded file to Tanium.


    You can upload the metadata file in the Identity Provider Metadata step of the CMP identity provider configuration. For more information, see Configure your identity provider.

  4. In the Service Providers section, click Service Providers are now created via Connected Apps. Click here.
  5. In the Basic Information section, enter the required fields.
  6. In the Web App Settings section, select Enable SAML, enter the following values from Cloud Management Portal, and then click Save.

    Start URL: Tanium Console Url
    Entity Id: Audience URI/SP Entity ID
    ACS URL: SSO Url
    Subject Type: select Username
    Name ID Format: select urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    IdP Certificate: select the certificate that corresponds to the previously downloaded metadata file

  7. In the Custom Attributes section, click New, enter the following values and then click Save.

    Attribute key: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Attribute value: $User.Username

Assign the enterprise application to users

  1. From the navigation menu, click Manage > Edit Policies.
  2. In the Profiles section, click Manage Profiles.
  3. Select the user profiles to assign the enterprise application to any users that you want to have access to Tanium Cloud.

    You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in CMP. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.