Set up authentication - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Authenticate Cortex XSIAM users using SAML 2.0 or the Cortex Gateway.

You can create users in the Customer Support Portal or by using SAML Single Sign-On (SSO) in the tenant. Users authenticate by doing the following:

  • Authenticate through the Customer Support Portal

    When users log into the Cortex Gateway or the tenant (provided they are assigned a role) they are prompted to sign into the Customer Support Portal using their username and password or 2FA (if set up). This is the default method of authentication.

    After you have created users, add them to user groups or assign roles directly, if you have not already done so.

  • Authenticate using SAML single sign-on in the Cortex XSIAM tenant

    Users can be authenticated using your IdP provider such as Okta, Ping, or Azure AD. You can use any IdP that supports SAML 2.0. After you configure the SSO integration you need to map group SAML group membership to user groups in Cortex XSIAM.

SSO authentication has the following advantages:

  • Removes the administrative burden of requiring separate accounts to be configured through the Customer Support Portal.

  • Enforces multi-factor authentication (MFA) and any conditional access policies on the user login at the IdP before granting a user access to Cortex XSIAM.

  • Maps SAML group memberships to user groups and roles, allowing you to manage role-based access control.

  • Removes access to Cortex XSIAM when a user is removed or disabled in the IdP.

Customer Support Portal authentication, by contrast, is useful if you have users who need the same permissions across multiple tenants. If you use SSO for multiple tenants, you must set up the SSO configuration separately for each tenant, both in the IdP and in Cortex XSIAM.

If you want to restrict the user login through SSO only, remove any direct role and user group mapping for the user on the Cortex Gateway or the Cortex XSIAM tenant. This removes Customer Support Portal access for the user. You then need to ensure that you add the SAML group mapping. The user can access and acquire the user group and roles based on SAML group mapping. Once completed, the user is able to access Cortex XSIAM using SSO only and will not be able to use Customer Support Portal login method.

For more information, see Assign user roles and groups.


You should have at least one user in the Customer Support Portal for backup, in case of any authentication issues with your IdP provider.