Cortex XDR enables you to easily and securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with the Security Assertion Markup Language (SAML) 2.0 standard. This configuration allows system users to authenticate using your organization's Identity Provider (IdP), such as Okta or PingOne. You can integrate any IdP with Cortex XDR supported by SAML 2.0.
Before configuring SSO with SAML 2.0, you must first activate your Cortex XDR tenant and be assigned an Account Admin role in the Gateway. This administrator, with either an Account Admin role or Instance Administrator role, is then required to sign in to Cortex XDR with their Customer Support Portal (CSP) credentials and configure the SAML 2.0 settings on the Single Sign-On page.
The instructions on how to configure SSO with SAML 2.0 are dependent on your organization’s IdP. As a result, the instructions below explain how to enable SSO in Cortex XDR and access the fields required to enable the SSO integration, where some of the field values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. It is the customer’s responsibility to understand how to access their organization’s IdP to provide these fields and add any fields from Cortex XDR to their IdP.
To configure single sign-on.
Login to Cortex XDR and Sign-in with your CSP credentials, where you must be an administrator assigned with either an Account Admin role or Instance Administrator role.
Select → → → .
Toggle to SSO Enabled.
By default, SSO is disabled in Cortex XDR. When you toggle to SSO Enabled, the different SSO parameters are displayed so you can configure them according to your organization’s IdP.
Set the following parameters using your organization’s IdP.
General
Single Sign-On URL—Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format
https://< Cortex XDR URL>/idp/saml, such ashttps://tenant1.xdr.paloaltonetworks.com/idp/saml. You need this value when configuring your organization’s IdP.Audience URI (SP Entity ID)—Indicates your Service Provider Entity ID, also known as the ACS URL, and is a fixed, read-only value using the format
https://< Cortex XDR URL>, such ashttps://tenant1.xdr.paloaltonetworks.com. You need this value when configuring your organization’s IdP.IdP SSO URL—Specify your organization’s SSO URL, which is copied from your organization’s IdP.
Default Role—(Optional) Select the default role that you want any user to automatically receive when they are granted access to Cortex XDR through SSO. This is an inherited role and is not the same as a direct role assigned to the user.
IdP Issuer ID—Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.
X.509 Certificate—Specify your X.509 digital certificate, which is copied from your organization’s IdP.
IdP Attributes Mappings
These IdP attribute mappings are dependent on your organization’s IdP.
Email—Specify the email mapping according to your organization’s IdP.
Group Membership—Specify the group membership mapping according to your organization’s IdP.
First Name—Specify the first name mapping according to your organization’s IdP.
Last Name—Specify the last name mapping according to your organization’s IdP.
Note
We recommend using the following settings for Azure integrations.
email : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Group Membership: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
Advanced Settings (Optional)
The following advanced settings are optional to configure and some are specific for a particular IdP.
Relay State—(Optional) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to Cortex XDR.
IdP Single Logout URL—(Optional) Specify your IdP single logout URL provided by your organization’s IdP to ensure that when a user initiates a logout from Cortex XDR, the identity provider logs the user out of all applications in the current identity provider login session.
SP Logout URL—(Optional) Indicates the Service Provider logout URL that you need to provide when configuring single logout from your organization’s IdP to ensure that when a user initiates a logout from Cortex XDR , the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format
https://< Cortex XDR URL>/idp/logout, such ashttps://tenant1.xdr.paloaltonetworks.com/idp/logoutService Provider Public Certificate—(Optional) Specify your organization’s IdP service provider public certificate.
Service Provider Private Key (Pem Format)—(Optional) Specify your organization’s IdP service provider private key in Pem Format.
ADFS—(Optional) Select this checkbox when you are configuring Microsoft ADFS services and the following options are displayed.
—Compress encode URL (ADFS)—(Optional) Select this checkbox for ADFS encoding.
—Service Identifier (ADFS)—(Optional) Specify the ADFS service identifier that you are using.
Save your changes.
Now, whenever an SSO user logs in to Cortex XDR , the following login options are available.
Sign-in with SSO—Enables you to be authenticated using your organization’s IdP, such as Okta or PingOne.
When you sign in as an SSO user, the Cortex XDR permissions granted to you after logging in, either from the group mapping or from the default role configuration, are effective throughout the entire session for a maximum session length as defined in your Session Security Settings. This applies even if the default role configuration is updated or the group membership settings were changed.
Sign-in with your CSP credentials—Enables you to login with your Customer Support Portal (CSP) credentials.