Set up authentication in the Cortex XDR tenant using SSO.
Cortex XDR enables you to securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with SAML 2.0. System users can authenticate using your organization's Identity Provider (IdP), such as Okta or PingOne. You can integrate with any IdP that is supported by SAML 2.0.
Configuring SSO with SAML 2.0 is dependent on your organization’s IdP. Some of the parameter values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. You should have sufficient knowledge about IdPs, how to access your organization’s IdP, which values to add to Cortex XDR, and which values to add to your IdP fields.
Note
To set up SSO authentication in the tenant, you must be assigned an Instance Administrator or Account Admin role.
SAML 2.0 users must log in to Cortex XDR using the FQDN (full URL) of the tenant. To allow login directly from the IdP to Cortex XSOAR, you must set the relay state on the IdP to the FQDN of the tenant.
If you have multiple tenants, you must set up the SSO configuration separately for each tenant, both in the IdP and in Cortex XDR.
Create groups in your IdP that correspond to the roles in Cortex XDR and assign users to those groups in your IdP. Users can belong to multiple groups and receive permissions associated with multiple roles. Add the appropriate SAML group mapping from your IdP to each Cortex XDR role.
If you are configuring Okta or Azure, follow the procedure in Okta or Azure AD. You can also adapt these instructions for use with any similar SAML 2.0 IdP.
In Cortex XDR, go to → → → .
If you want to add another SSO connection to enable managing user groups with different roles and different IdPs, click Add SSO Connection.
Different SSO parameters for an SSO are displayed to configure according to your organization’s additional IdP.
Note
The first SSO cannot be deleted, it can only be deactivated by toggling SSO Enabled to off.
The Domain parameter is predefined for the first SSO.
If you add additional SSO providers, you must provide the email Domain in the SSO Integration settings for all providers except the first. Cortex XDR uses this domain to determine which identity provider the user should be sent to for authentication.
When mapping IdP user groups to Cortex XDR user groups, you must include the group attribute for each IdP you want to use. For example, if you are using Microsoft Azure and Okta, your Cortex XDR user group SAML Group Mapping field must include the IdP groups for each provider. Each group name is separated by a comma.
Set the following parameters using your organization’s IdP.
General parameters
IdP Attribute Mapping
Advanced Settings (optional)
Save your changes.
Whenever an SSO user logs in to Cortex XDR, the following login options are available.
Sign-in with SSO
If you have enabled more than one SSO provider, an optional email field appears. If the user does not enter an email address or if the email address does not match an existing domain, the user is automatically directed to the default IdP provider (the first in the list of SSO providers in the Authentication Settings). If the user enters an email address and it matches a domain listed in the Domain field in the SSO Integration settings for one of your IdPs, Sign-In with SSO sends the user to the IdP associated with that email domain.