Security Assertion Markup Language (SAML) is a standard for exchanging authentication requests and responses between service providers (SPs) and identity providers (IdPs). It enables SPs to give users access to applications across security domains through a single sign-on (SSO) authentication service that the IdP provides. You can configure the Tanium Server as an SP to give users access to the Tanium Console through the following types of SAML SSO authentication.
- Tanium Server 7.2.314.3181 and later integrates with Okta as an IdP and supports IdP-initiated SSO. Users initiate the workflow by signing into the Okta SSO portal using their enterprise username and password. Okta then exchanges authentication messages with the SP and, if authentication succeeds, the user can then click the application tile of the application they want to access.
- Tanium Server 7.2.314.3476 and later integrates with any IdP, and supports both IdP-initiated and SP-initiated SSO. In an SP-initiated workflow, users try to access the application directly, at which point the SP redirects them to sign into the IdP first. The IdP then exchanges authentication messages with the SP and, if authentication succeeds, the user can then access the application.
The Tanium Server does not support user authorization (role-based access control) through SAML. To control the features, settings, and information that users are allowed to see and use after accessing the Tanium Console, configure user role permissions. For details, see RBAC overview.
Only users assigned the Administrator reserved role can see and use the Configuration pages, including the SAML configuration page.
- Work with the IdP administrator to identify which users must access the Tanium Console through the IdP. The IdP administrator is responsible for configuring authentication through an Active Directory or LDAP server and managing user access through the IdP. For information about setting up an application through an IdP, refer to your IdP documentation.
A Tanium administrator must create the Tanium Console users if they authenticate through a domain-joined Active Directory back end (see Create a user) or configure an LDAP Sync connector to import users (see Using LDAP).
- Work with the IdP administrator when rolling out changes in the URLs where Tanium Console users access the IdP SSO portal (IdP-initiated SSO only).
- Go to Configuration > Authentication > SAML
and then Choose an IdP.
- In the Tanium URIs for <IdP> Configuration section, copy the Single sign on URL and Audience URI (SP entity ID) values and share them with the IdP administrator. The administrator needs this information to configure the IdP to support the Tanium Console application.
Before you perform the remaining steps, the IdP administrator must send you the IdP certificate that the Tanium Server will use to validate SAML messages received from the IdP service.
- In the <IdP> Configuration Information section, use the controls to upload the IdP certificate file. Later in this procedure, after you save all your configuration changes, this section displays the certificate name as a link, which you can click to open a popup containing the certificate contents.
- (Custom IdP only) Configure the following settings in the Custom IdP Settings section. All the settings are required except where otherwise noted. These settings refer to elements, attributes, and values in the XML-based SAML response messages that the IdP sends to the Tanium Server after users attempt to authenticate.
- (SP-initiated SSO only) In the Service Provider Initiated SSO section, select Enable SP-initiated SSO and configure the following required fields.
- Save your changes. The Tanium Server SAML SP service then starts.
An important benefit of SSO is that it minimizes the number of times that users must respond to a password prompt when accessing and using applications. If you previously configured the Tanium Server to display a password prompt whenever users make a configuration change, you can optionally change it to a Yes/Cancel prompt to simplify the user experience.
- Go to Configuration > Miscellaneous > Confirmation Prompt.
- Select Show a Yes/Cancel prompt.
- Save your changes.
Optionally, you can improve the security of SAML communications by digitally signing authentication requests from the Tanium Server and encrypting responses (assertions) from the IdP. The Tanium Server installation includes a utility for generating an RSA private key to sign the requests and a self-signed certificate to encrypt the responses. The certificate uses the AES-256-CBC cipher for encryption.
- Access the Tanium Server CLI and change directory (cd command) to the Tanium Server installation directory (such as D:\Program Files\Tanium\Tanium Server).
- Run the following command to create the certificate and private key.
For the <hostname>, specify the FQDN of the Tanium Server. In a high availability (HA) deployment, separate the hostnames with a comma (such as ts1.example.com,ts2.example.com). For the output (<out>), specify the certificate and key name (such as SAMLEncryption). The utility automatically appends the .crt and .key suffixes to the certificate and key filenames.
KeyUtility selfsign <hostname> <out>
The utility creates the certificate and key (such as SAMLEncryption.cert and SAMLEncryption.key) at the top level of the Tanium Server installation directory. As long as you keep the certificate and key there, the Tanium Server will automatically use the certificate to sign SAML authentication requests and use the private key to decrypt IdP responses.
Alternatively, you can add the SAMLEncryptionCertPath and SAMLEncryptionKeyPath settings on the Tanium Server to configure a different location for storing the certificate and key. For details, consult your Technical Account Manager (TAM).
Provide the certificate to the IdP. Work with your IdP administrator to configure the IdP to use the certificate for encrypting SAML responses, using RSA-OAEP-MGF1P (recommended) or RSA version 1.5 for secure key transportation.
If you ever need to disable SP-initiated SSO without accessing the Tanium Console, you can set the global setting console_saml_sp_enabled through the CLI.
- Access the Tanium Server CLI (for details, see Tanium Core Platform Deployment Guide for Windows: Tanium Server CLI).
- Go to the Tanium Server installation directory.
- Run the following command:
TaniumReceiver global-settings set console_saml_sp_enabled 0
Wait up to a minute for the change to apply, or restart the Tanium Server to apply the change immediately.
If you ever need to stop the Tanium Server from functioning as a SAML SP, you can stop the SP service by removing the IdP settings.
- Go to Configuration > Authentication > SAML.
- Set Choose an IdP to No Provider and save your changes.
Last updated: 2/6/2019 2:40 PM | Feedback