Configuring Okta for TaaS

To use Okta as an identity provider for TaaS, you must first configure it. For more information about configuring Okta, see How do I set up Okta as a SAML identity provider in an Amazon Cognito user pool?

Create a SAML application and provide the metadata to Tanium

  1. Open the Okta Developer Console.
  2. From the Developer Console drop-down menu, click Classic UI to open the Admin Console.

    You must use the Classic UI to create a SAML application.

  3. From the Main menu, click Applications, and then click Create App Integration.
  4. Select SAML 2.0, and then click Next.
  5. Configure general settings.
    1. Enter a name, such as Tanium or TaaS.
    2. (Optional) Upload a logo.
    3. Verify that Do not display application icon to users and Do not display application icon in the Okta Mobile app are selected and then click Next.
    4. In the GENERAL section, enter the following values from the Cloud Management Portal.

      Single sign on URL: SSO URL
      Audience URI (SP Entity ID): Audience URI (SP Entity ID)

    5. In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the following values, and then click Next.

      Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      Value: user.email

    6. In the Feedback section, select I'm an Okta customer adding an internal app, provide any additional responses, and click Finish.
  6. In the SIGN ON METHODS section of the Sign On tab of the application, right-click Identity Provider metadata and Copy Link Address to provide the metadata URL to Tanium.



  7. You can provide the metadata URL in the Identity Provider Metadata step of the Cloud Management Portal identity provider configuration. For more information, see Configure your identity provider.

Assign the application to users

From the Assignments tab of the application, click Assign to assign the application to any users that you want to have access to TaaS.

You must give access to the user that is listed as the Primary TaaS Admin Username in the Cloud Management Portal. This user is the only user that is created in TaaS during the provisioning process. Additional users can be created in TaaS by this user or other delegated users.

(Optional) Create a bookmark application for TaaS

TaaS uses Amazon Cognito user pools, which does not currently support identity provider (IdP) initiated sign-on. To work around this limitation, you can create a Bookmark App. For more information, see Simulating an IdP-initiated Flow with the Bookmark App.

  1. From the Okta Admin Console, go to Shortcuts > Add Applications.
  2. Search for bookmark and then select Bookmark App in INTEGRATIONS.
  3. In the Bookmark App section, click Add.
  4. In the General Settings • Required section, enter the following values, and then click Done.

    Application label: descriptive name such as TaaS or Tanium
    URL: the TaaS Console URL from the Cloud Management Portal

  5. (Optional) Edit the template logo to provide a more appropriate logo. This application is visible to users.
  6. Click the Assignments tab to assign the bookmark app to any users that you want to have access to the bookmark app.

    You must give access to the user that is listed as the Primary TaaS Admin Username in the Cloud Management Portal.

Use groups to assign access to TaaS and assign both the SAML integration application and the Bookmark App to that group to ensure that all users receive both applications.