Learn how to easily and securely authenticate system users with one set of credentials using SSO with the SAML 2.0 standard.
Cortex XDR enables you to securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with SAML 2.0. System users can authenticate using your organization's Identity Provider (IdP).
Configuring SSO with SAML 2.0 is dependent on your organization’s IdP. Some parameter values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. You should have sufficient knowledge about IdPs, how to access your organization’s IdP, which values to add to Cortex XDR, and which values to add to your IdP fields.
To configure SSO, you must have the Instance Administrator or Account Admin role.
Note
SAML 2.0 users must log in to Cortex XDR using the FQDN (full URL) of the tenant. To allow login directly from the IdP to Cortex XDR, you must set the relay state on the IdP to the FQDN of the tenant.
If you have multiple tenants, you must set up the SSO configuration separately for each tenant, both in the IdP and in Cortex XDR.
Create groups in your IdP that correspond to the roles in Cortex XDR and assign users to those groups in your IdP. Users can belong to multiple groups and receive permissions associated with multiple roles. Add the appropriate SAML group mapping from your IdP to each Cortex XDR role.
Cortex XDR requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex XDR. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma separated list), by default, you must configure IdP to send the the Group CN (Common Name) instead.
If you are configuring Okta or Azure, follow the procedure in Okta and Azure AD. You can also adapt these instructions with any similar SAML 2.0 IdP.
In Cortex XDR go to → → → .
If you want to add an SSO to enable managing user groups with different roles and different IdPs, click Add SSO Connection.
Different SSO parameters for an SSO are displayed to configure according to your organization’s additional IdP.
Note
The first SSO cannot be deleted, it can only be deactivated by toggling SSO Enabled to off.
The Domain parameter is predefined for the first SSO. You need to set it for added SSOs.
If you add additional SSO providers, you must provide the email Domain in the SSO Integration settings for all providers except the first. Cortex XDR uses this domain to determine which identity provider the user should be sent to for authentication.
When mapping IdP user groups to Cortex XDR user groups, you must include the group attribute for each IdP you want to use. For example, if you are using Microsoft Azure and Okta, your Cortex XDR user group SAML Group Mapping field must include the IdP groups for each provider. Each group name is separated by a comma.
Set the following parameters using your organization’s IdP.
General
Parameter
Description
IdP SSO or Metadata URL
Select the option that meets your organization's requirements.
Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format
https://
. For example,<name of Cortex-Tenant>
.paloaltonetworks.com/idp/samlhttps://tenant1.Cortex XDR.paloaltonetworks.com/idp/saml
You need this value when configuring your IdP.
IdP SSO URL
Specify your organization’s SSO URL, which is copied from your organization’s IdP.
Metadata URL
Audience URI (SP Entity ID)
Indicates your Service Provider Entity ID, also known as the ACS URL. It is a fixed, read-only value using the format,
https://
. For example<name of Cortex-Tenant>
.paloaltonetworks.comhttps://tenant1.xdr.paloaltonetworks.com
.You need this value when configuring your organization’s IdP.
Default Role
(Optional) Select the default role that you want any user to automatically receive when they are granted access to Cortex XDR through SSO. This is an inherited role and is not the same as a direct role assigned to the user.
IdP Issuer ID
Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.
X.509 Certificate
Specify your X.509 digital certificate, which is copied from your organization’s IdP.
Domain
Relevant only for multiple SSOs. For one SSO, this is a fixed, read-only value. Associate this IdP with a specific email domain (user@<domain>). When logging in, users are redirected to the IdP associated with their email domain or to the default IdP if no association exists.
IdP Attribute Mappings
These IdP attribute mappings are dependent on your organization’s IdP.
Parameter
Description
Email
Specify the email mapping according to your organization’s IdP.
Group Membership
Specify the group membership mapping according to your organization’s IdP.
Note
Cortex XDR requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex XDR. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma separated list), by default, you must configure IdP to send the the Group CN (Common Name) instead.
First Name
Specify the first name mapping according to your organization’s IdP.
Last Name
Specify the last name mapping according to your organization’s IdP.
Advanced Settings (Optional)
The following advanced settings are optional to configure and some are specific for a particular IdP.
Parameter
Description
Relay State
(Optional) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to Cortex XDR.
IdP Single logout URL
(Optional) Specify your IdP single logout URL provided from your organization’s IdP to ensure that when a user initiates a logout from Cortex XDR, the identity provider logs the user out of all applications in the current identity provider login session.
SP Logout URL
(Optional) Indicates the Service Provider logout URL that you need to provide when configuring single logout from your organization’s IdP to ensure that when a user initiates a logout from Cortex XDR, the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format
https://<name of Cortex-Tenant>.paloaltonetworks.com/idp/logout
, such ashttps://tenant1.xdr.paloaltonetworks.com/idp/logout
.Service Provider Public Certificate
(Optional) Specify your organization’s IdP service provider public certificate.
Service Provider Private Key (Pem Format)
(Optional) Specify your organization’s IdP service provider private key in Pem Format.
Allow users to log in without entering a password
(Optional) Select if you want to enable your users to log in to Cortex XDR without any further authentication if they're already logged in to your IdP, including when the IdP uses multi-factor authentication.
Force Authentication
(Optional) If the IdP requires reauthentication, the users will be prompted to perform a full login.
Save your changes.
When a user logs in to Cortex XDR, the following login options are available. If you selected Allow users to log in without entering a password above, these options won't be displayed and the user will be logged in without a reauthentication request.
Sign-in with SSO: Authenticates using your organization’s IdP, such as Okta or Azure AD.
When you sign in as an SSO user, the Cortex XDR permissions granted to you after logging in, either from the group mapping or from the default role configuration, are effective throughout the entire session for a maximum session length as defined in your session settings. This applies even if the default role configuration is updated or the group membership settings are changed.
If you have enabled more than one SSO provider, an optional email field displays above theLogin Options tab under Authentication Settings). If the user enters an email address and it matches a domain listed in the email Domain field in the SSO Integration settings for one of your IdPs, Sign-In with SSO sends the user to the IdP associated with that email domain.
button. If the user does not enter an email address in this field or if the email address does not match an existing domain, the user is automatically directed to the default IdP provider (the first in the list of SSO providers on yourSign-in with your CSP credentials: Users log in with their Customer Support Portal (CSP) credentials, provided they have been added as a user through the CSP.