Configuring Azure AD for TaaS

To use Azure Active Directory (AD) as an identity provider for TaaS, you must first configure it. For more information about configuring Azure AD, see How to add Azure AD as AWS Cognito Federated Identity Provider.

Create a SAML application and provide the metadata to Tanium

  1. From the Azure Services section of the Azure Management Portal (https://portal.azure.com), click Azure Active Directory.
  2. In the Create section, click + Add and then click Enterprise application.
  3. In the Browse Azure AD Gallery (Preview) section, click Create your own application.
  4. In the Create your own application section, enter a name, such as Tanium or TaaS, for the new application, select Integrate any other application you don't find in the gallery, and then click Create.
  5. In the Getting Started section, click Set up single sign on and then click SAML.
    1. In the Basic SAML Configuration section, click Edit, enter the following values from the Cloud Management Portal.

      Identifier (Entity ID): Audience URI (SP Entity ID)
      Reply URL (Assertion Consumer Service URL): SSO URL
      Sign on URL: TaaS Console URL
      Logout Url: Sign out URL

    2. Leave the Relay State field blank, and then click Save.
    3. To dismiss the Save single sign-on configuration success prompt, click X, and then click X to close the Basic SAML Configuration section.
    4. When you are prompted to test single sign-on, click No, I'll test later.
  6. In the User Attributes & Claims section, click Edit.
    1. Verify that the value for Unique User Identifier (Name ID) is user.userprincipalname.
    2. Verify that the value for http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress is user.mail.
    3. If either of the values are incorrect, correct them and then click X to close the User Attributes & Claims section.
  7. In the SAML Signing Certificate section, copy the App Federation Metadata Url to provide to Tanium.

    You can provide the metadata URL in the Identity Provider Metadata step of the Cloud Management Portal identity provider configuration. For more information, see Configure your identity provider.

  8. (Optional) From the navigation menu, click Manage > Properties, upload a logo for the application, and then click Save.

Assign the enterprise application to users

From the navigation menu, click Manage > Users and groups, and then click Add user to assign the enterprise application to any users that you want to have access to TaaS.

You must give access to the user that is listed as the Primary TaaS Admin Username in the Cloud Management Portal. This user is the only user that is created in TaaS during the provisioning process. Additional users can be created in TaaS by this user or other delegated users.