Configure user authentication for a communication task.
When sending a form in a communication task, you can configure user authentication to ensure only authorized users gain access to the form.
The authorized users are usually external users not in Cortex XSOAR, and they will not be able to access anything else in Cortex XSOAR.
Define in your IdP (for example, Okta) a dedicated group of external users who you want to authenticate.
Select
→ → → .In the Communication Task Authentication tab, toggle to Enable Communication task SSO Connection. Set the following parameters using your organization’s IdP.
General
Parameter
Description
Single Sign-on URL
Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format
https://
. For example,<name of Cortex-XSOAR>
.paloaltonetworks.com/idp/samlhttps://tenant1.xsoar.paloaltonetworks.com/idp/saml
You need this value when configuring your IdP.
Audience URI (SP Entity ID)
Indicates your Service Provider Entity ID, also known as the ACS URL. It is a fixed, read-only value using the format,
https://
. For example<name of Cortex-XSOAR>
.paloaltonetworks.comhttps://tenant1.xdr.paloaltonetworks.com
.You need this value when configuring your organization’s IdP.
IdP SSO URL
Specify your organization’s SSO URL, which is copied from your organization’s IdP.
IdP Issuer ID
Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.
X.509 Certificate
Specify your X.509 digital certificate, which is copied from your organization’s IdP.
IdP Attribute Mappings
These IdP attribute mappings are dependent on your organization’s IdP.
Parameter
Description
Email
Specify the email mapping according to your organization’s IdP.
Group Membership
Specify the group membership mapping according to your organization’s IdP.
First Name
Specify the first name mapping according to your organization’s IdP.
Last Name
Specify the last name mapping according to your organization’s IdP.
Advanced Settings (Optional)
The following advanced settings are optional to configure and some are specific for a particular IdP.
Parameter
Description
Relay State
(Optional) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to Cortex XSOAR.
IdP Single logout URL
(Optional) Specify your IdP single logout URL provided from your organization’s IdP to ensure that when a user initiates a logout from Cortex XSOAR, the identity provider logs the user out of all applications in the current identity provider login session.
SP Logout URL
(Optional) Indicates the Service Provider logout URL that you need to provide when configuring single logout from your organization’s IdP to ensure that when a user initiates a logout from Cortex XSOAR, the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format
https://<name of Cortex-XSOAR>.paloaltonetworks.com/idp/logout
, such ashttps://tenant1.xsoar.paloaltonetworks.com/idp/logout
.Service Provider Public Certificate
(Optional) Specify your organization’s IdP service provider public certificate.
Service Provider Private Key (Pem Format)
(Optional) Specify your organization’s IdP service provider private key in Pem Format.
Remove SAML RequestedAuthnContext
(Optional) (Optional) Requires users to log in to Cortex XSOAR using additional authentication methods, such as biometric authentication.
Selecting this removes the error generated when the authentication method used for previous authentication is different from the one currently being requested. See here for more details about the
RequestedAuthnContext
authentication mismatch error.Force Authentication
(Optional) Requires users to reauthenticate to access the Cortex XSOAR tenant if requested by the idP, even if they already authenticated to access other applications.
In the Task details of your playbook communication task, check Require users to authenticate to have your SAML or AD authenticate the recipient before allowing them access to the form.