Manage Single Sign-On

Learn how to easily and securely authenticate system users with one set of credentials using SSO with the SAML 2.0 standard.
Cortex
XDR
enables you to easily and securely authenticate system users across enterprise-wide applications and websites with one set of credentials using single sign-on (SSO) with the Security Assertion Markup Language (SAML) 2.0 standard. This configuration allows system users to authenticate using your organization's Identity Provider (IdP), such as Okta or PingOne. You can integrate any IdP with
Cortex
XDR
that is supported by SAML 2.0.
Before configuring SSO with SAML 2.0, you must first activate your
Cortex
XDR
tenant and be assigned an XDR Account Admin role in the
Cortex
Gateway. This administrator, with either an XDR Account Admin role or Instance Administrator role, is then required to sign in to
Cortex
XDR
with their Customer Support Portal (CSP) credentials and configure the SAML 2.0 settings in the
Single Sign-On
page.
The instructions on how to configure SSO with SAML 2.0 are dependent on your organization’s IdP. As a result, the instructions below explain how to enable SSO in
Cortex
XDR
and access the fields required to enable the SSO integration, where some of the field values need to be supplied from your organization’s IdP and some need to be added to your organization’s IdP. It is the customer’s responsibility to understand how to access their organization’s IdP to provide these fields and add any fields from
Cortex
XDR
to their IdP.
To configure single sign-on.
  1. Login to
    Cortex
    XDR
    and
    Sign-in with your CSP credentials
    , where you must be an administrator assigned with either an XDR Account Admin role or Instance Administrator role.
  2. Select
    Settings
    Configurations
    Access Management
    Single Sign-On
    .
  3. Toggle to
    SSO Enabled
    .
    By default, SSO is disabled in
    Cortex
    XDR
    . When you toggle to
    SSO Enabled
    , the different SSO parameters are displayed so you can configure them according to your organization’s IdP.
  4. Set the following parameters using your organization’s IdP.
    • General
      • Single Sign-On URL
        —Indicates your SSO URL, which is a fixed, read-only value based on your tenant's URL using the format
        https://<
        Cortex
        XDR
        URL>/idp/saml
        , such as
        https://tenant1.xdr.paloaltonetworks.com/idp/saml
        . You need this value when configuring your organization’s IdP.
      • Audience URI (SP Entity ID)
        —Indicates your Service Provider Entity ID, also known as the ACS URL, and is a fixed, read-only value using the format
        https://<
        Cortex
        XDR
        URL>
        , such as
        https://tenant1.xdr.paloaltonetworks.com
        . You need to this value when configuring your organization’s IdP.
      • IdP SSO URL
        —Specify your organization’s SSO URL, which is copied from your organization’s IdP.
      • Default Role
        —(
        Optional
        ) Select the default role that you want any user to automatically receive when they are granted access to
        Cortex
        XDR
        through SSO. This is an inherited role and is not the same as a direct role assigned to the user.
      • IdP Issuer ID
        —Specify your organization’s IdP Issuer ID, which is copied from your organization’s IdP.
      • X.509 Certificate
        —Specify your X.509 digital certificate, which is copied from your organization’s IdP.
    • IdP Attributes Mappings
      These IdP attribute mappings are dependent on your organization’s IdP.
      • Email
        —Specify the email mapping according to your organization’s IdP.
      • Group Membership
        —Specify the group membership mapping according to your organization’s IdP.
      • First Name
        —Specify the first name mapping according to your organization’s IdP.
      • Last Name
        —Specify the last name mapping according to your organization’s IdP.
    • Advanced Settings
      (
      Optional
      )
      The following advanced settings are optional to configure and some are specific for a particular IdP.
      • Relay State
        —(
        Optional
        ) Specify the URL for a specific page that you want users to be directed to after they’ve been authenticated by your organization’s IdP and log in to
        Cortex
        XDR
        .
      • IdP Single Logout URL
        —(
        Optional
        ) Specify your IdP single logout URL provided from your organization’s IdP to ensure that when a user initiates a logout from
        Cortex
        XDR
        , the identity provider logs the user out of all applications in the current identity provider login session.
      • SP Logout URL
        —(
        Optional
        ) Indicates the Service Provider logout URL that you need to provide when configuring single logout from your organization’s IdP to ensure that when a user initiates a logout from
        Cortex
        XDR
        , the identity provider logs the user out of all applications in the current identity provider login session. This field is read-only and uses the following format
        https://<
        Cortex
        XDR
        URL>/idp/logout
        , such as
        https://tenant1.xdr.paloaltonetworks.com/idp/logout
      • Service Provider Public Certificate
        —(
        Optional
        ) Specify your organization’s IdP service provider public certificate.
      • Service Provider Private Key (Pem Format)
        —(
        Optional
        ) Specify your organization’s IdP service provider private key in Pem Format.
      • ADFS
        —(
        Optional
        ) Select this checkbox when you are configuring Microsoft ADFS services and the following options are displayed.
        Compress encode URL (ADFS)
        —(
        Optional
        ) Select this checkbox for ADFS encoding.
        Service Identifier (ADFS)
        —(
        Optional
        ) Specify the ADFS service identifier that you are using.
  5. Save
    your changes.
    Now, whenever an SSO user logs in to
    Cortex
    XDR
    , the following login options are available.
    • Sign-in with SSO
      —Enables you to be authenticated using your organization’s IdP, such as Okta or PingOne.
      When you sign-in as an SSO user, the
      Cortex
      XDR
      permissions granted to you after logging in, either from the group mapping or from the default role configuration, are effective throughout the entire session for a maximum session length as defined in your session security settings. This applies even if the default role configuration is updated or the group membership settings was changed.
    • Sign-in with your CSP credentials
      —Enables you to login with your Customer Support Portal (CSP) credentials.

Recommended For You