User Authentication for Multi-Tenant Deployments - Multi-Tenant Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Cortex XSOAR
Creation date
Last date published
Multi-Tenant Guide

Authenticate Cortex XSOAR users using SAML 2.0 or the Cortex Gateway in a multi-tenant deployment

You can authenticate users by doing one or both of the following options:

  • User authentication in the Customer Support Portal

    Any user who has a Customer Support Portal (CSP) account can be given permissions to access your tenants and login to them through the Cortex Gateway or to the tenant directly. When users log into the Cortex Gateway or the tenant (provided they are assigned a role) they are prompted to sign into the CSP using their username and password. This is the default method of authentication. As soon as they are added to the CSP, you can manage them in the Cortex Gateway or in the Cortex XSOAR tenant. You can also manage roles in the Cortex Gateway and in the Cortex XSOAR tenant.


    Although you can manage roles and user groups in the Cortex Gateway, it is recommended to create roles and user groups in each tenant because you may want different roles and user groups in different environments, such as dev/prod. Assigning roles in the Cortex Gateway enables you to assign roles for all tenants including all Cortex products.

    Roles, permissions, and user groups are propagated to child tenants if the roles and user groups are created in the Cortex Gateway, not if they are created in the main tenant.

    For more information about authentication in Cortex XSOAR, see User Authentication.

  • SAML Single Sign On

    Enables the user to log into Cortex XSOAR via SSO, by configuring single sign-on using SAML 2.0 Authenticate users using SAML 2.0 authentication with your identity provider, such as Okta. You define Cortex XSOAR authentication in your identity provider’s account and configure the SSO settings in Cortex XSOAR. SAML 2.0 authentication must be set up separately for your main tenant and for each individual child tenant. There is no propagation of SSO from the main tenant to child tenants.


    • You can view SSO users from the Cortex Gateway, but SSO users do not have access to the Cortex Gateway.

    • You can have multiple IdP providers with separate SSO configurations on a tenant. For example, for a co-managed tenant, an MSSP and an end customer would use different providers for the same tenant.

If you do not want a user to have access to all tenants, the user should be added using SSO in each tenant. For example, for an MSSP with co-managed tenants (a tenant where management is shared between the MSSP and the end customer), the MSSP’s analysts and the end customer’s analysts need access to the child tenant. If the MSSP’s analysts need access to every child tenant (for multiple end customers), you can either add them in the CSP or through SSO, by configuring SSO for the main tenant and for each child tenant. To restrict their access to only one tenant, the end customer’s analysts must have SSO access configured directly on the child tenant. End customer users should not be created as users in the CSP.

If you require users to be automatically propagated to all tenants, you must use the Cortex Gateway. SSO does not propagate from the main tenant to child tenants.