Authenticate users using SSO - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Set up authentication in the Cortex XDR tenant using SSO.

Cortex XDR enables you to securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with SAML 2.0. System users can authenticate using your organization's Identity Provider (IdP), such as Okta or PingOne. You can integrate with any IdP that is supported by SAML 2.0.

Configuring SSO with SAML 2.0 is dependent on your organization’s IdP. Some of the parameter values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. You should have sufficient knowledge about IdPs, how to access your organization’s IdP, which values to add to Cortex XDR, and which values to add to your IdP fields.

Note

  • To set up SSO authentication in the tenant, you must be assigned an Instance Administrator or Account Admin role.

  • SAML 2.0 users must log in to Cortex XDR using the FQDN (full URL) of the tenant. To allow login directly from the IdP to Cortex XSOAR, you must set the relay state on the IdP to the FQDN of the tenant.

  • If you have multiple tenants, you must set up the SSO configuration separately for each tenant, both in the IdP and in Cortex XDR.

  • Create groups in your IdP that correspond to the roles in Cortex XDR and assign users to those groups in your IdP. Users can belong to multiple groups and receive permissions associated with multiple roles. Add the appropriate SAML group mapping from your IdP to each Cortex XDR role.

If you are configuring Okta or Azure, follow the procedure in Okta or Azure AD. You can also adapt these instructions for use with any similar SAML 2.0 IdP.

  1. In Cortex XDR, go to SettingsConfigurationsAccess ManagementAuthentication Settings.

  2. If you want to add another SSO connection to enable managing user groups with different roles and different IdPs, click Add SSO Connection.

    Different SSO parameters for an SSO are displayed to configure according to your organization’s additional IdP.

    Note

    • The first SSO cannot be deleted, it can only be deactivated by toggling SSO Enabled to off.

    • The Domain parameter is predefined for the first SSO.

      If you add additional SSO providers, you must provide the email Domain in the SSO Integration settings for all providers except the first. Cortex XDR uses this domain to determine which identity provider the user should be sent to for authentication.

    • When mapping IdP user groups to Cortex XDR user groups, you must include the group attribute for each IdP you want to use. For example, if you are using Microsoft Azure and Okta, your Cortex XDR user group SAML Group Mapping field must include the IdP groups for each provider. Each group name is separated by a comma.

  3. Set the following parameters using your organization’s IdP.

    • General parameters

    • IdP Attribute Mapping

    • Advanced Settings (optional)

  4. Save your changes.

    Whenever an SSO user logs in to Cortex XDR, the following login options are available.

    • Sign-in with SSO

      If you have enabled more than one SSO provider, an optional email field appears. If the user does not enter an email address or if the email address does not match an existing domain, the user is automatically directed to the default IdP provider (the first in the list of SSO providers in the Authentication Settings). If the user enters an email address and it matches a domain listed in the Domain field in the SSO Integration settings for one of your IdPs, Sign-In with SSO sends the user to the IdP associated with that email domain.

Parameter

Description

IdP SSO or Metadata URL

Select the option that meets your organization's requirements.

Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format https://<name of Cortex-XSOAR>.crtx.paloaltonetworks.com/idp/saml. For example, https://tenant1.crtx.paloaltonetworks.com/idp/saml

You need this value when configuring your IdP.

IdP SSO URL

Specify your organization’s SSO URL, which is copied from your organization’s IdP.

Metadata URL

Audience URI (SP Entity ID)

Indicates your Service Provider Entity ID, also known as the ACS URL. It is a fixed, read-only value using the format, https://<name of Cortex-XSOAR>.paloaltonetworks.com. For example https://tenant1.crtx.paloaltonetworks.com.

You need this value when configuring your organization’s IdP.

Default Role

(Optional) Select the default role that you want any user to automatically receive when they are granted access to Cortex XDR through SSO. This is an inherited role and is not the same as a direct role assigned to the user.

IdP Issuer ID

Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.

X.509 Certificate

Specify your X.509 digital certificate, which is copied from your organization’s IdP.

Domain

Relevant only for multiple SSOs. For one SSO, this is a fixed, read-only value. Associate this IdP with a specific email domain (user@<domain>). When logging in, users are redirected to the IdP associated with their email domain or to the default IdP if no association exists.

These IdP attribute mappings are dependent on your organization’s IdP.

Parameter

Description

Email

Specify the email mapping according to your organization’s IdP.

Group Membership

Specify the group membership mapping according to your organization’s IdP.

Note

Cortex XDR requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex XDR. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma-separated list), by default, you must configure IdP to send the Group CN (Common Name) instead.

First Name

Specify the first name mapping according to your organization’s IdP.

Last Name

Specify the last name mapping according to your organization’s IdP.

The following advanced settings are optional to configure and some are specific for a particular IdP.

Parameter

Description

Relay State

(Optional) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to Cortex XDR.

IdP Single logout URL

(Optional) Specify your IdP single logout URL provided by your organization’s IdP to ensure that when a user initiates a logout from Cortex XDR, the identity provider logs the user out of all applications in the current identity provider login session.

SP Logout URL

(Optional) Indicates the Service Provider logout URL that you need to provide when configuring a single logout from your organization’s IdP to ensure that when a user initiates a logout from Cortex XDR, the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format https://<name of Cortex-XSOAR>.crtx.paloaltonetworks.com/idp/logout, such as https://tenant1.crtx.paloaltonetworks.com/idp/logout.

Service Provider Public Certificate

(Optional) Specify your organization’s IdP service provider public certificate.

Service Provider Private Key (Pem Format)

(Optional) Specify your organization’s IdP service provider private key in Pem Format.

Remove SAML RequestedAuthnContext

(Optional) Requires users to log in to Cortex XDR using additional authentication methods, such as biometric authentication.

Selecting this removes the error generated when the authentication method used for previous authentication is different from the one currently being requested. See here for more details about the RequestedAuthnContext authentication mismatch error.

Force Authentication

(Optional) Requires users to reauthenticate to access the Cortex XDR tenant if requested by the idP, even if they already authenticated to access other applications.

The following list describes the common errors and issues when using SAML 2.0 authentication.

  • Errors in your IdP could mean the Service Provider Entity ID and/or Service Identifier are not properly configured in the IdP or in the Cortex XDR settings.

  • SAML attributes from the IdP are not properly mapped in Cortex XDR. The attributes are case sensitive and must exactly match in your IdP and in the Cortex XDR IdP Attributes Mapping.

  • Group memberships from the IdP have not been properly mapped to Cortex XDR user groups. Verify the values your identity provider is sending, to properly map the groups in Cortex XDR.

  • The identity provider is not configured to sign both the SAML response and the assertion on the login token. Your IdP must be configured to sign both to ensure a secure login.

  • If you require further troubleshooting, we recommend using your browser's built-in developer tools or additional browser plugins to capture the login request and SAML token.