Use Multiple SAML 2.0 Providers - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

In Cortex XSIAM, you can use multiple SAML SSO providers.

To view providers, go to SettingsConfigurationsAccess ManagementAuthentication Settings. To add an additional provider, Add SSO Connection.

When using two or more SSO providers:

  • The first provider in the list is used as the default SSO provider. The Domain parameter is predefined for the first SSO.

  • If you add additional SSO providers, you must provide the email Domain in the SSO Integration settings for all providers except the first. Cortex XSIAM uses this domain to determine which identity provider the user should be sent to for authentication. At the Cortex XSIAM login page, if you have enabled more than one SSO provider, an optional email field displays above the Sign-In with SSO button. If the user does not enter an email address in this field or if the email address does not match an existing domain, the user is automatically directed to the default IdP provider (the first in the list of SSO providers). If the user enters an email address and it matches a domain listed in the email Domain field in the SSO Integration settings for one of your IdPs, Sign-In with SSO sends the user to the IdP associated with that email domain.

  • When mapping IdP user groups to Cortex XSIAM user groups, you must include the group attribute for each IdP you want to use. For example, if you are using Microsoft Azure and Okta, your Cortex XSIAM user group SAML Group Mapping field must include the IdP groups for each provider. Each group name is separated by a comma.