This topic provides specific instructions for using Azure AD to authenticate your Cortex XSIAM users. As Azure AD is third-party software, specific procedures, and screenshots may change without notice. We encourage you to also review the Azure AD documentation.
To configure SAML SSO in Cortex XSIAM, you must be a user who can access the Cortex XSIAM tenant and have either the Account Admin or Instance Administrator role assigned.
From within Azure AD, create a Cortex XSIAM application and Edit the Basic SAML Configuration.
Paste the Single sign-on URL and the Audience URI (SP Entity ID) that you copied from the Cortex XSIAM SSO settings. The Single sign-on URL from Cortex XSIAM should be pasted in the Reply URL and the Sign on URL fields. The Audience URI (SP Entity ID) value from Cortex XSIAM should be pasted in the Identifier (Entity ID) and Relay State fields. This allows users to log in to Cortex XSIAM directly from Azure AD.
In the SAML Certificates section, click Edit and verify that Azure is configured to sign both the response and the assertion.
To have Azure AD send group membership for the user in the SAML token, you must + Add a group claim in the Attributes & Claims section. Send the Security groups, using the source attribute Group ID. Use the word or phrase you selected when configuring Azure AD security groups (such as Cortex XSIAM) to create a filter. Customize the name of the group claim as memberOf.
In addition to group membership, verify that there are also claims for:
Email address
First Name
Last Name
In Azure, from the Single sign-on page, in the Set up Cortex XSIAM Production section, copy the values for the Login URL and Azure AD Identifier. You need these values to configure the SSO Integration in Cortex XSIAM.
Edit Attributes & Claims and copy the values in the Claim name column. The claim name is case sensitive. You need these values to configure the SSO Integration in Cortex XSIAM.
Note
The default attributes shown on the main single sign-on page in Azure AD are not the values you need. You must click Edit next to Attributes and Claims to view and copy the actual values.
From the SAML Certificates section in Azure AD, Download the Certificate (Base64). You need the contents of this file to configure the Cortex XSIAM SSO Integration.
In Cortex XSIAM go to → → → .
In the Login Options tab, toggle SSO Disabled to on.
By default, SSO is disabled in Cortex XSIAM.
Expand the SSO Integration settings.
Use the following table to complete the SSO Integration settings, based on the values you saved from Azure AD.
Azure AD
Cortex XSIAM Field
Login URL
IdP SSO URL
Azure AD Identifier
IdP Issuer ID
Contents of the downloaded certificate file.
X.509 Certificate
In the IdP Attributes Mapping section, enter the attribute claim names from Azure AD. The names are case sensitive and must match exactly.
Note
The attribute claim name must exactly match the value sent by your IdP. In some cases, this may be the full attribute name/namespace, depending on the configuration of our IdP
(Optional) Under Advanced Settings, select the checkboxes for ADFS and Compress encode URL (ADFS). In some circumstances, these fields may be required by your Azure AD configuration.
Save your settings.