Configuring AD FS for TaaS

To use Active Directory Federation Services (AD FS) as an identity provider for TaaS, you must first configure it. For more information about configuring AD FS, see How do I set up AD FS as a SAML identity provider with an Amazon Cognito user pool?

Create a SAML application and provide the metadata to Tanium

  1. From the AD FS Management Console, go to Actions > AD FS > Add Relying Party Trust....
    1. In the Welcome step, select Claims aware and then click Start.
    2. In the Select Data Source step, select Enter data about the relying party manually and then click Next.
    3. In the Specify Display Name step, enter a name, such as Tanium or TaaS, and then click Next.
    4. In the Configure Certificate step, click Next. A service-provider certificate is not required for TaaS.
    5. In the Configure URL step, select Enable support for the SAML 2.0 WebSSO protocol, enter the SSO URL value from your welcome e-mail from Tanium, and then click Next.
    6. In the Configure Identifiers step, enter the Audience URI (SP Entity ID) value from your welcome e-mail from Tanium, click Add, and then click Next.
    7. In the Choose Access Control step, select an appropriate access control policy for your organization, and then click Next.

      You must give access to the user that is listed as the Primary TaaS Admin Username in your welcome e-mail from Tanium. This user is the only user that is created in TaaS during the provisioning process. Additional users can be created in TaaS by this user or other delegated users.

    8. In the Ready to Add Trust step, click Next.
    9. In the Finish step, verify that Configure claims issuance policy for this application is selected, and then click Close.
    10. If the Edit Claim Issuance Policy for <applicationDisplayName> window does not appear automatically, right-click Relying Party Trust for <applicationDisplayName>, and then click Edit Claim Issuance Policy....

  2. In the Edit Claim Issuance Policy for <applicationDisplayName> window, click Add Rule... to create the rule to send the e-mail addresses from AD to TaaS in both the e-mail address and NameID attributes.
    1. Enter a Claim rule name, such as Send E-mail Addresses.
    2. From the Attribute store drop-down menu, select Active Directory.
    3. In the first row of Mapping of LDAP attributes to outgoing claim types, select E-Mail-Addresses for the LDAP Attribute column and E-Mail Address for the Outgoing Claim Type column.
    4. In the second row of Mapping of LDAP attributes to outgoing claim types, select E-Mail-Addresses for the LDAP Attribute column and Name ID for the Outgoing Claim Type column.
    5. Click OK to save the rule and close the window.
    6. Click OK to save the claim issuance policy and close the window.
  3. Replace <yourADFSServer> in the following URL with your AD FS server/farm name and then provide the XML file to Tanium.
    https://<yourADFSServer>/FederationMetadata/2007-06/FederationMetadata.xml

Amazon Cognito, which is used for identity federation with TaaS, does not support IdP-initiated SSO. To sign into TaaS, you must first access your TaaS Console URL from your welcome e-mail from Tanium. You cannot sign in from the AD FS IdP Initiated SSO page.