Learn how to easily and securely authenticate system users with one set of credentials using SSO with the SAML 2.0 standard.
Cortex XSOAR enables you to securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with SAML 2.0. System users can authenticate using your organization's Identity Provider (IdP).
Configuring SSO with SAML 2.0 is dependent on your organization’s IdP. Some parameter values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. You should have sufficient knowledge about IdPs, how to access your organization’s IdP, which values to add to Cortex XSOAR, and which values to add to your IdP fields.
To configure SSO, you must have the Instance Administrator or Account Admin role.
Tip
SAML 2.0 users must log in to Cortex XSOAR using the FQDN (full URL) of the tenant. To allow login directly from the IdP to Cortex XSOAR, you must set the relay state on the IdP to the FQDN of the tenant.
If you have multiple tenants, you must set up the SSO configuration separately for each tenant, both in the IdP and in Cortex XSOAR.
Create groups in your IdP that correspond to the roles in Cortex XSOAR and assign users to those groups in your IdP. Users can belong to multiple groups and receive permissions associated with multiple roles. Add the appropriate SAML group mapping from your IdP to each Cortex XSOAR role.
For users migrating from Cortex XSOAR 6, you must replace the migrated SSO settings with new Cortex XSOAR 8 SSO settings. We recommend defining a new application in your IdP, rather than editing the existing Cortex XSOAR 6 settings.
If you are configuring Okta or Azure, follow the procedure in Okta and Azure AD. You can also adapt these instructions for any similar SAML 2.0 IdP.
In Cortex XSOAR, go to → → → .
In the Login Options tab, toggle SSO Enabled to on.
You can see the SSO settings, so you can configure them according to your organization's IdP.
If you want to add an SSO to enable managing user groups with different roles and different IdPs, click Add SSO Connection.
Different SSO parameters for an SSO are displayed to configure according to your organization’s additional IdP.
Note
The first SSO cannot be deleted, it can only be deactivated by toggling SSO Enabled to off.
The Domain parameter is predefined for the first SSO. You need to set it for added SSOs.
If you add additional SSO providers, you must provide the email Domain in the SSO Integration settings for all providers except the first. Cortex XSOAR uses this domain to determine which identity provider the user should be sent to for authentication.
When mapping IdP user groups to Cortex XSOAR user groups, you must include the group attribute for each IdP you want to use. For example, if you are using Microsoft Azure and Okta, your Cortex XSOAR user group SAML Group Mapping field must include the IdP groups for each provider. Each group name is separated by a comma.
Set the following parameters using your organization’s IdP.
General
Parameter
Description
IdP SSO or Metadata URL
Select the option that meets your organization's requirements.
Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format
https://. For example,<name of Cortex-XSOAR>.paloaltonetworks.com/idp/samlhttps://tenant1.xsoar.paloaltonetworks.com/idp/samlYou need this value when configuring your IdP.
IdP SSO URL
Specify your organization’s SSO URL, which is copied from your organization’s IdP.
Metadata URL
Audience URI (SP Entity ID)
Indicates your Service Provider Entity ID, also known as the ACS URL. It is a fixed, read-only value using the format,
https://. For example<name of Cortex-XSOAR>.paloaltonetworks.comhttps://tenant1.xdr.paloaltonetworks.com.You need this value when configuring your organization’s IdP.
Default Role
(Optional) Select the default role that you want any user to automatically receive when they are granted access to Cortex XSOAR through SSO. This is an inherited role and is not the same as a direct role assigned to the user.
IdP Issuer ID
Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.
X.509 Certificate
Specify your X.509 digital certificate, which is copied from your organization’s IdP.
Domain
Relevant only for multiple SSOs. For one SSO, this is a fixed, read-only value. Associate this IdP with a specific email domain (user@<domain>). When logging in, users are redirected to the IdP associated with their email domain or to the default IdP if no association exists.
IdP Attribute Mappings
These IdP attribute mappings are dependent on your organization’s IdP.
Parameter
Description
Email
Specify the email mapping according to your organization’s IdP.
Group Membership
Specify the group membership mapping according to your organization’s IdP.
Note
Cortex XSOAR requires the IdP to send the group membership as part of the SAML token. Some IdPs send values in a format that include a comma, which is not compatible with Cortex XSOAR. In that case, you must configure your IdP to send a single value without a comma for each group membership. For example, if your IdP sends the Group DN (a comma separated list), by default, you must configure IdP to send the the Group CN (Common Name) instead.
First Name
Specify the first name mapping according to your organization’s IdP.
Last Name
Specify the last name mapping according to your organization’s IdP.
Advanced Settings (Optional)
The following advanced settings are optional to configure and some are specific for a particular IdP.
Parameter
Description
Relay State
(Optional) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to Cortex XSOAR.
IdP Single logout URL
(Optional) Specify your IdP single logout URL provided from your organization’s IdP to ensure that when a user initiates a logout from Cortex XSOAR, the identity provider logs the user out of all applications in the current identity provider login session.
SP Logout URL
(Optional) Indicates the Service Provider logout URL that you need to provide when configuring single logout from your organization’s IdP to ensure that when a user initiates a logout from Cortex XSOAR, the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format
https://<name of Cortex-XSOAR>.paloaltonetworks.com/idp/logout, such ashttps://tenant1.xsoar.paloaltonetworks.com/idp/logout.Service Provider Public Certificate
(Optional) Specify your organization’s IdP service provider public certificate.
Service Provider Private Key (Pem Format)
(Optional) Specify your organization’s IdP service provider private key in Pem Format.
Remove SAML RequestedAuthnContext
(Optional) Requires users to log in to Cortex XSOAR using additional authentication methods, such as biometric authentication.
Selecting this removes the error generated when the authentication method used for previous authentication is different from the one currently being requested. See here for more details about the
RequestedAuthnContextauthentication mismatch error.Force Authentication
(Optional) Requires users to reauthenticate to access the Cortex XSOAR tenant if requested by the idP, even if they already authenticated to access other applications.
Save your changes.
When a user logs in to Cortex XSOAR, the following login options are available.
Sign-in with SSO: Authenticates using your organization’s IdP, such as Okta or Azure AD.
When you sign in as an SSO user, the Cortex XSOAR permissions granted to you after logging in, either from the group mapping or from the default role configuration, are effective throughout the entire session for a maximum session length as defined in your Session Security Settings. This applies even if the default role configuration is updated or the group membership settings are changed.
If you have enabled more than one SSO provider, an optional email field displays above the Sign-In with SSO button. If the user does not enter an email address in this field or if the email address does not match an existing domain, the user is automatically directed to the default IdP provider (the first in the list of SSO providers on your Login Options tab under Authentication Settings). If the user enters an email address and it matches a domain listed in the email Domain field in the SSO Integration settings for one of your IdPs, Sign-In with SSO sends the user to the IdP associated with that email domain.
Sign-in with your CSP credentials: Users log in with their Customer Support Portal (CSP) credentials, provided they have been added as a user through the CSP.