Set up Microsoft Entra ID as the Identity Provider Using SAML 2.0 - Administrator Guide - Cortex XSIAM - Cortex XDR - Cortex - Security Operations

In Cortex XDR go to Settings → Configurations → Access Management → Single Sign-On.

By default, SSO is disabled in Cortex XDR.

Expand the SSO Integration settings.

Copy and save the values for Single Sign-On URL and Audience URI (SP Entity ID).

Both values are needed to configure your IdP settings.

You cannot save the enabled SSO Integration at this time, as it requires values from your IdP.

From within Microsoft Entra ID, create a Cortex XDR application and Edit the Basic SAML Configuration.

Paste the Single sign-on URL and the Audience URI (SP Entity ID) that you copied from the Cortex XDR SSO settings. The Single sign-on URL from Cortex XDR should be pasted in the Reply URL and the Sign on URL fields. The Audience URI (SP Entity ID) value from Cortex XDR should be pasted in the Identifier (Entity ID) and Relay State fields. This allows users to log in to Cortex XDR directly from Microsoft Entra ID.

In the SAML Certificates section, click Edit and verify that Microsoft Entra ID is configured to sign both the response and the assertion.

To have Microsoft Entra ID send group membership for the user in the SAML token, you must + Add a group claim in the Attributes & Claims section. Send the Security groups, using the source attribute Group ID. Use the word or phrase you selected when configuring Microsoft Entra ID security groups (such as Cortex XDR) to create a filter. Customize the name of the group claim as memberOf.

In addition to group membership, verify that there are also claims for:

In Microsoft Entra ID, from the Single sign-on page, in the Set up Cortex XDR Production section, copy the values for the Login URL and Microsoft Entra ID Identifier. You need these values to configure the SSO Integration in Cortex XDR.

Edit Attributes & Claims and copy the values in the Claim name column. The claim name is case sensitive. You need these values to configure the SSO Integration in Cortex XDR.

In Cortex XDR go to Settings → Configurations → Access Management → Single Sign-On.

By default, SSO is disabled in Cortex XDR.

Expand the SSO Integration settings.

Use the following table to complete the SSO Integration settings, based on the values you saved from Microsoft Entra ID.

In the IdP Attributes Mapping section, enter the attribute claim names from Microsoft Entra ID. The names are case sensitive and must match exactly.

(Optional) Under Advanced Settings, select the checkboxes for ADFS and Compress encode URL (ADFS). In some circumstances, these fields may be required by your Microsoft Entra ID configuration.

Save your settings.

Select Settings → Configurations → Access Management → User Groups.

Right-click a user group and select Edit Group.

In the SAML Group Mapping field add the Microsoft Entra ID group(s) Object Ids that should be associated with this user group. Multiple Object Ids should be separated with a comma. The Microsoft Entra ID group Object Id must match the exact value sent in the token.

Save your settings.

Repeat for each user group.

Go to the Cortex XDR tenant URL and Sign-In with SSO.

After authentication to Microsoft Entra ID, you are redirected again to the Cortex XDR tenant.

When logged in, validate that you have been assigned the proper roles.

To view your role and any role assigned to a user group you are a member of, click your name in the bottom left-hand corner, and click About.