Configuring Okta for Tanium Cloud

To use Okta as an identity provider for Tanium Cloud, you must first configure it.

The IDP Documentation links in the CMP are pre-populated with the values that you must enter in your identity provider settings. The screenshots are provided for example purposes only.

Create a SAML application and provide the metadata to Tanium

  1. In the Okta portal, click Admin to open the Okta Admin Console.
  2. From the Main menu, click Applications, and then click Create App Integration.
  3. Select SAML 2.0, and then click Next.
  4. Configure general settings.
    1. Enter a name, such as Tanium or Tanium Cloud.
    2. (Optional) Upload a logo.
    3. Verify that Do not display application icon to users and Do not display application icon in the Okta Mobile app are selected and then click Next.
    4. In the GENERAL section, enter the following values from the Cloud Management Portal.

      Single sign on URL: SSO Url
      Audience URI (SP Entity ID): Audience URI/SP Entity ID

    5. In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the following values, and then click Next.

      Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      Value: user.email

    6. In the Feedback section, select I'm an Okta customer adding an internal app, provide any additional responses, and click Finish.
  5. In the SAML Signing Certificates section of the Sign On tab of the application, select Actions > View IdP Metadata for the active SAML signing certificate, and copy the address from the address bar of the web browser to provide the metadata URL to Tanium.



    6. You can provide the metadata URL in the Identity Provider Metadata step of the Cloud Management Portal identity provider configuration. You can download the certificate and use the downloaded file with the Upload a Metadata File option to provide the Identity Provider Metadata, however the preferred option is to enter the URL to this content. For more information, see Configure your identity provider.

Assign the application to users

From the Assignments tab of the application, click Assign to assign the application to any users that you want to have access to Tanium Cloud.

You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in the Cloud Management Portal. This user is the only user that is created in Tanium Cloud during the provisioning process. Additional users can be created in Tanium Cloud by this user or other delegated users.

(Optional) Create a bookmark application for Tanium Cloud

Tanium Cloud uses Amazon Cognito user pools, which does not currently support identity provider initiated sign-on. To work around this limitation, you can create a Bookmark App. For more information, see Okta Documentation: Simulating an IdP-initiated Flow with the Bookmark App.

  1. From the Okta Admin Console, go to Shortcuts > Add Applications.
  2. Search for bookmark and then select Bookmark App in INTEGRATIONS.
  3. In the Bookmark App section, click Add.
  4. In the General Settings • Required section, enter the following values, and then click Done.

    Application label: descriptive name such as Tanium or Tanium Cloud
    URL: the Tanium Console Url from the Cloud Management Portal

  5. (Optional) Edit the template logo to provide a more appropriate logo. This application is visible to users.
  6. Click the Assignments tab to assign the bookmark app to any users that you want to have access to the bookmark app.

    You must give access to the user that is listed as the Primary Tanium Cloud Admin Username in the Cloud Management Portal.

Use groups to assign access to Tanium Cloud and assign both the SAML integration application and the Bookmark App to that group to ensure that all users receive both applications.