Authenticate users through the Cortex Xpanse tenant using SSO - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-05-22
Last date published
2024-07-16
Category
User Guide
Solution
Cloud
Abstract

Set up authentication in the Cortex Xpanse tenant using SSO.

Cortex Xpanse enables you to securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with SAML 2.0. System users can authenticate using your organization's Identity Provider (IdP), such as Okta or PingOne. You can integrate with any IdP that is supported by SAML 2.0.

Configuring SSO with SAML 2.0 is dependent on your organization’s IdP. Some of the parameter values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. You should have sufficient knowledge about IdPs, how to access your organization’s IdP, which values to add to Cortex Xpanse, and which values to add to your IdP fields.

To set up SSO authentication in the tenant, you must be assigned an Instance Administrator or Account Admin role.

Tip

  • SAML 2.0 users must log in to Cortex Xpanse using the FQDN (full URL) of the tenant. To allow login directly from the IdP to Cortex XSOAR, you must set the relay state on the IdP to the FQDN of the tenant.

  • If you have multiple tenants, you must set up the SSO configuration separately for each tenant, both in the IdP and in Cortex Xpanse.

  • Create groups in your IdP that correspond to the roles in Cortex Xpanse and assign users to those groups in your IdP. Users can belong to multiple groups and receive permissions associated with multiple roles. Add the appropriate SAML group mapping from your IdP to each Cortex Xpanse role.

If you are configuring Okta or Azure, follow the procedure in Okta or Azure AD. You can also adapt these instructions with any similar SAML 2.0 IdP.Set up Okta as the Identity Provider Using SAML 2.0Set up Azure AD as the Identity Provider Using SAML 2.0

  1. In Cortex Xpanse, go to SettingsConfigurationsAccess ManagementSingle Sign-On.

  2. In the Single Sign-On tab, toggle SSO Disabled to on.

    You can see the SSO settings, so you can configure them according to your organization’s IdP.

  3. If you want to add another SSO connection to enable managing user groups with different roles and different IdPs, click Add SSO Connection.

    Different SSO parameters for an SSO are displayed to configure according to your organization’s additional IdP.

    Note

    • The first SSO cannot be deleted, it can only be deactivated by toggling SSO Enabled to off.

    • The Domain parameter is predefined for the first SSO.

      If you add additional SSO providers, you must provide the email Domain in the SSO Integration settings for all providers except the first. Cortex Xpanse uses this domain to determine which identity provider the user should be sent to for authentication.

    • When mapping IdP user groups to Cortex Xpanse user groups, you must include the group attribute for each IdP you want to use. For example, if you are using Microsoft Azure and Okta, your Cortex Xpanse user group SAML Group Mapping field must include the IdP groups for each provider. Each group name is separated by a comma.

  4. Set the following parameters using your organization’s IdP.

    • General parameters

    • IdP Attribute Mapping

    • Advanced Settings (optional)

  5. Save your changes.

    Whenever an SSO user logs in to Cortex Xpanse, the following login options are available.

    • Sign-in with SSO

      If you have enabled more than one SSO provider, an optional email field appears. If the user does not enter an email address or if the email address does not match an existing domain, the user is automatically directed to the default IdP provider (the first in the list of SSO providers in the Authentication Settings). If the user enters an email address and it matches a domain listed in the Domain field in the SSO Integration settings for one of your IdPs, Sign-In with SSO sends the user to the IdP associated with that email domain.

    • Sign-in with your CSP credentials: Users log in with their Customer Support Portal (CSP) credentials, provided they have been added as a user via the CSP and have been assigned a role or assigned to the tenant through the Cortex Gateway or in the tenant. Users log into the CSP via SSO authentication.

Parameter

Description

IdP SSO or Metadata URL

Select the option that meets your organization's requirements.

Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format https://<name of Cortex-Xpanse>.crtx.paloaltonetworks.com/idp/saml. For example, https://tenant1.crtx.paloaltonetworks.com/idp/saml

You need this value when configuring your IdP.

IdP SSO URL

Specify your organization’s SSO URL, which is copied from your organization’s IdP.

Metadata URL

Audience URI (SP Entity ID)

Indicates your Service Provider Entity ID, also known as the ACS URL. It is a fixed, read-only value using the format, https://<name of Cortex-Xpanse>.paloaltonetworks.com. For example https://tenant1.crtx.paloaltonetworks.com.

You need this value when configuring your organization’s IdP.

Default Role

(Optional) Select the default role that you want any user to automatically receive when they are granted access to Cortex Xpanse through SSO. This is an inherited role and is not the same as a direct role assigned to the user.

IdP Issuer ID

Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.

X.509 Certificate

Specify your X.509 digital certificate, which is copied from your organization’s IdP.

Domain

Relevant only for multiple SSOs. For one SSO, this is a fixed, read-only value. Associate this IdP with a specific email domain (user@<domain>). When logging in, users are redirected to the IdP associated with their email domain or to the default IdP if no association exists.

These IdP attribute mappings are dependent on your organization’s IdP.

Parameter

Description

Email

Specify the email mapping according to your organization’s IdP.

Group Membership

Specify the group membership mapping according to your organization’s IdP.

Note

Cortex Xpanse requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex Xpanse. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma separated list), by default, you must configure IdP to send the the Group CN (Common Name) instead.

First Name

Specify the first name mapping according to your organization’s IdP.

Last Name

Specify the last name mapping according to your organization’s IdP.

Note

We recommend using the following settings for Azure integrations:

  • Email : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • Group Membership: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

  • First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  • Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

The following advanced settings are optional to configure and some are specific for a particular IdP.

Parameter

Description

Relay State

(Optional) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to Cortex Xpanse.

IdP Single logout URL

(Optional) Specify your IdP single logout URL provided by your organization’s IdP to ensure that when a user initiates a logout from Cortex Xpanse, the identity provider logs the user out of all applications in the current identity provider login session.

SP Logout URL

(Optional) Indicates the Service Provider logout URL that you need to provide when configuring a single logout from your organization’s IdP to ensure that when a user initiates a logout from Cortex Xpanse, the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format https://<name of Cortex-Xpanse>.crtx.paloaltonetworks.com/idp/logout, such as https://tenant1.crtx.paloaltonetworks.com/idp/logout.

Service Provider Public Certificate

(Optional) Specify your organization’s IdP service provider public certificate.

Service Provider Private Key (Pem Format)

(Optional) Specify your organization’s IdP service provider private key in Pem Format.

Remove SAML RequestedAuthnContext

(Optional) Requires users to log in to Cortex Xpanse using additional authentication methods, such as biometric authentication.

Selecting this removes the error generated when the authentication method used for previous authentication is different from the one currently being requested. See here for additional details about the RequestedAuthnContext authentication mismatch error.

Force Authentication

(Optional) Requires users to reauthenticate to access the Cortex Xpanse tenant if requested by the idP, even if they already authenticated to access other applications.