Configuring Okta for TaaS

To use Okta as an identity provider for TaaS, you must first configure it. For more information about configuring Okta, see How do I set up Okta as a SAML identity provider in an Amazon Cognito user pool?

Create a SAML application and provide the metadata to Tanium

  1. Open the Okta Developer Console.
  2. From the Developer Console drop-down menu, click Classic UI to open the Admin Console.

    You must use the Classic UI to create a SAML application.

  3. From the Main menu, click Applications, and then click Create New App.
  4. Confirm that the following fields are set correctly, and then click Create.

    Platform: Web
    Sign on method: SAML 2.0

  5. Configure general settings.
    1. Enter a name, such as Tanium or TaaS.
    2. (Optional) Upload a logo.
    3. Verify that Do not display application icon to users and Do not display application icon in the Okta Mobile app are selected and then click Next.
    4. In the GENERAL section, enter the following values from your welcome e-mail from Tanium.

      Single sign on URL: SSO URL
      Audience URI (SP Entity ID): Audience URI (SP Entity ID)

    5. In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the following values, and then click Next.

      Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      Value: user.email

    6. In the Feedback section, select I'm an Okta customer adding an internal app, provide any additional responses, and click Finish.
  6. In the SIGN ON METHODS section of the Sign On tab of the application, click Identity Provider metadata, and then provide the downloaded file to Tanium.



    You can also right-click Identity Provider metadata and Copy Link Address to provide the URL to Tanium instead of downloading the XML file.

Assign the application to users

From the Assignments tab of the application, click Assign to assign the application to any users that you want to have access to TaaS.

You must give access to the user that is listed as the Primary TaaS Admin Username in your welcome e-mail from Tanium. This user is the only user that is created in TaaS during the provisioning process. Additional users can be created in TaaS by this user or other delegated users.

(Optional) Create a bookmark application for TaaS

TaaS uses Amazon Cognito user pools, which does not currently support identity provider (IdP) initiated sign-on. To work around this limitation, you can create a Bookmark App. For more information, see Simulating an IdP-initiated Flow with the Bookmark App.

  1. From the Okta Admin Console, go to Shortcuts > Add Applications.
  2. Search for bookmark and then select Bookmark App in INTEGRATIONS.
  3. In the Bookmark App section, click Add.
  4. In the General Settings • Required section, enter the following values, and then click Done.

    Application label: descriptive name such as TaaS or Tanium
    URL: the TaaS Console URL from your welcome e-mail from Tanium

  5. (Optional) Edit the template logo to provide a more appropriate logo. This application is visible to users.
  6. Click the Assignments tab to assign the bookmark app to any users that you want to have access to the bookmark app.

    You must give access to the user that is listed as the Primary TaaS Admin Username in your welcome e-mail from Tanium.

Use groups to assign access to TaaS and assign both the SAML integration application and the Bookmark App to that group to ensure that all users receive both applications.