Other versions

Using SAML

The Security Assertion Markup Language (SAML) is a standard for exchanging authentication requests and responses.

Tanium Server 7.2.314.3181 and later support user authentication via a web browser using SAML 2.0 IdP-initiated SSO for Okta. SAML authorization decision statements and SAML attribute statements are not supported.

In an identity provider initiated workflow, users log into the Okta SSO portal using their enterprise user name and password, and then click the application tile to access the application. Authentication messages are exchanged between the Okta identity service and the application, and if authentication is successful, the application creates a session.

Figure  1:  Okta SSO portal

The Okta administrator is responsible for configuring authentication against a back-end Active Directory or LDAP server and managing user access to the Okta SSO portal.

For information about setting up a SAML application in Okta, refer to the Okta documentation.

A Tanium administrator must create the Tanium Console users (in the case of a domain joined Active Directory back end) or configure an LDAP Sync connector to import users. When Okta is set up, it is used for the authentication messages.

Tanium Server 7.2.314.3181 supports integration with Okta. Talk to your technical account manager (TAM) about support for other SAML identity providers.

Role requirements

Only users assigned the Administrator reserved role can see and use the Configuration pages, including the SAML configuration page.

Before you begin

  • Work with the Okta administrator to identify the users that should be given access to the Tanium Console through the Okta SSO portal.
  • Plan to work with the Okta administrator to roll out changes to access URLs to Tanium Console users.

Step 1: Share the SAML SP details

The Tanium Console automatically displays the SAML details the Okta administrator needs to know to configure Okta to support the Tanium application.

  1. Go to Configuration > Authentication > SAML.
  2. Under Tanium URIs for Okta Configuration, copy the SSO URL and SP entity ID.
  3. Share this information with the Okta administrator.

Step 2: Upload the Okta certificate

After the Tanium Console application has been added to the enterprise Okta SSO portal, the Okta administrator will send you a certificate that the Tanium Server uses to validate SAML messages received from the Okta identity provider service.

  1. Go to Configuration > Authentication > SAML.
  2. Under Okta Configuration Information, use the controls to select and upload the Okta certificate file.

 

The Tanium Server SAML SP service is started after the Okta certificate has been uploaded.

Turn off the Tanium Server SAML SP service

The Tanium Server SAML SP service is stopped after the Okta certificate has been deleted.

  1. Go to Configuration > Authentication > SAML.
  2. Under Okta Configuration Information, use the controls to delete the Okta certificate file.

Last updated: 8/17/2018 3:33 PM | Feedback