Configure Single Sign-On Using SAML 2.0 - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Learn how to easily and securely authenticate system users with one set of credentials using SSO with the SAML 2.0 standard.

Cortex XSIAM enables you to securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with SAML 2.0. System users can authenticate using your organization's Identity Provider (IdP).

Configuring SSO with SAML 2.0 is dependent on your organization’s IdP. Some parameter values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. You should have sufficient knowledge about IdPs, how to access your organization’s IdP, which values to add to Cortex XSIAM, and which values to add to your IdP fields.

To configure SSO, you must have the Instance Administrator or Account Admin role.

Note

  • SAML 2.0 users must log in to Cortex XSIAM using the FQDN (full URL) of the tenant. To allow login directly from the IdP to Cortex XSIAM, you must set the relay state on the IdP to the FQDN of the tenant.

  • If you have multiple tenants, you must set up the SSO configuration separately for each tenant, both in the IdP and in Cortex XSIAM.

  • Create groups in your IdP that correspond to the roles in Cortex XSIAM and assign users to those groups in your IdP. Users can belong to multiple groups and receive permissions associated with multiple roles. Add the appropriate SAML group mapping from your IdP to each Cortex XSIAM role.

  • Cortex XSIAM requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex XSIAM. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma separated list), by default, you must configure IdP to send the the Group CN (Common Name) instead.

If you are configuring Okta or Azure, follow the procedure in Okta and Azure AD. You can also adapy these instructions with any similar SAML 2.0 IdP.

  1. In Cortex XSIAM go to SettingsConfigurationsAccess ManagementAuthentication Settings.

  2. In the Login Options tab, toggle SSO Disabled to on.

    You can see the SSO settings, so you can configure them according to your organization's IdP.

  3. If you want to add an SSO to enable managing user groups with different roles and different IdPs, click Add SSO Connection.

    Different SSO parameters for an SSO are displayed to configure according to your organization’s additional IdP.

    Note

    • The first SSO cannot be deleted, it can only be deactivated by toggling SSO Enabled to off.

    • The Domain parameter is predefined for the first SSO. You need to set it for added SSOs.

      If you add additional SSO providers, you must provide the email Domain in the SSO Integration settings for all providers except the first. Cortex XSIAM uses this domain to determine which identity provider the user should be sent to for authentication.

    • When mapping IdP user groups to Cortex XSIAM user groups, you must include the group attribute for each IdP you want to use. For example, if you are using Microsoft Azure and Okta, your Cortex XSIAM user group SAML Group Mapping field must include the IdP groups for each provider. Each group name is separated by a comma.

  4. Set the following parameters using your organization’s IdP.

    • General 

      Parameter

      Description

      IdP SSO or Metadata URL

      Select the option that meets your organization's requirements.

      Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format https://<name of Cortex-Tenant>.paloaltonetworks.com/idp/saml. For example, https://tenant1.Cortex XSIAM.paloaltonetworks.com/idp/saml

      You need this value when configuring your IdP.

      IdP SSO URL

      Specify your organization’s SSO URL, which is copied from your organization’s IdP.

      Metadata URL

      Audience URI (SP Entity ID)

      Indicates your Service Provider Entity ID, also known as the ACS URL. It is a fixed, read-only value using the format, https://<name of Cortex-Tenant>.paloaltonetworks.com. For example https://tenant1.xdr.paloaltonetworks.com.

      You need this value when configuring your organization’s IdP.

      Default Role

      (Optional) Select the default role that you want any user to automatically receive when they are granted access to Cortex XSIAM through SSO. This is an inherited role and is not the same as a direct role assigned to the user.

      IdP Issuer ID

      Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.

      X.509 Certificate

      Specify your X.509 digital certificate, which is copied from your organization’s IdP.

      Domain

      Relevant only for multiple SSOs. For one SSO, this is a fixed, read-only value. Associate this IdP with a specific email domain (user@<domain>). When logging in, users are redirected to the IdP associated with their email domain or to the default IdP if no association exists.

    • IdP Attribute Mappings 

      These IdP attribute mappings are dependent on your organization’s IdP.

      Parameter

      Description

      Email

      Specify the email mapping according to your organization’s IdP.

      Group Membership

      Specify the group membership mapping according to your organization’s IdP.

      Note

      Cortex XSIAM requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex XSIAM. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma separated list), by default, you must configure IdP to send the the Group CN (Common Name) instead.

      First Name

      Specify the first name mapping according to your organization’s IdP.

      Last Name

      Specify the last name mapping according to your organization’s IdP.

    • Advanced Settings (Optional)

      The following advanced settings are optional to configure and some are specific for a particular IdP.

      Parameter

      Description

      Relay State

      (Optional) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to Cortex XSIAM.

      IdP Single logout URL

      (Optional) Specify your IdP single logout URL provided from your organization’s IdP to ensure that when a user initiates a logout from Cortex XSIAM, the identity provider logs the user out of all applications in the current identity provider login session.

      SP Logout URL

      (Optional) Indicates the Service Provider logout URL that you need to provide when configuring single logout from your organization’s IdP to ensure that when a user initiates a logout from Cortex XSIAM, the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format https://<name of Cortex-Tenant>.paloaltonetworks.com/idp/logout, such as https://tenant1.xdr.paloaltonetworks.com/idp/logout.

      Service Provider Public Certificate

      (Optional) Specify your organization’s IdP service provider public certificate.

      Service Provider Private Key (Pem Format)

      (Optional) Specify your organization’s IdP service provider private key in Pem Format.

      Allow users to log in without entering a password

      (Optional) Select if you want to enable your users to log in to Cortex XSIAM without any further authentication if they're already logged in to your IdP, including when the IdP uses multi-factor authentication.

      Force Authentication

      (Optional) If the IdP requires reauthentication, the users will be prompted to perform a full login.

  5. Save your changes.

    When a user logs in to Cortex XSIAM, the following login options are available. If you selected Allow users to log in without entering a password above,  these options won't be displayed and the user will be logged in without a reauthentication request.

    • Sign-in with SSO: Authenticates using your organization’s IdP, such as Okta or Azure AD.

      When you sign in as an SSO user, the Cortex XSIAM permissions granted to you after logging in, either from the group mapping or from the default role configuration, are effective throughout the entire session for a maximum session length as defined in your session settings. This applies even if the default role configuration is updated or the group membership settings are changed.

      If you have enabled more than one SSO provider, an optional email field displays above the Sign-In with SSO button. If the user does not enter an email address in this field or if the email address does not match an existing domain, the user is automatically directed to the default IdP provider (the first in the list of SSO providers on your Login Options tab under Authentication Settings). If the user enters an email address and it matches a domain listed in the email Domain field in the SSO Integration settings for one of your IdPs, Sign-In with SSO sends the user to the IdP associated with that email domain.

    • Sign-in with your CSP credentials: Users log in with their Customer Support Portal (CSP) credentials, provided they have been added as a user through the CSP.