Skip Navigation

Update the external IDP (SAML) Authenticator to enable IDP-initiated access to the Cylance console

Four simple steps to configure your external IDP (SAML) authenticator to provide administrators with SSO access to the Cylance console.

  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Update IDP SAMLs
  4. Update the external IDP SAML authenticator to enable IDP-initiated access to the Cylance console

Authenticators that were created before December 2023 do not allow users to directly access the Cylance console from their IDP console. To allow users to access the Cylance console from your IDP, you must generate a new SSO callback URL. This URL is generated when a new authenticator is created.

Important: Complete these steps only if your authenticator was created before December 2023 and you want to enable the IDP-initiated Proxy feature to allow users to use single sign-on (SSO) to access the Cylance console after logging in to the users’ external IDP portal.

Before you begin: Verify the Reply URL of the authenticator that was created to communicate with Cylance Endpoint Security. Complete the following steps:

In the Cylance console, open the Custom SAML Authenticator (Settings > Authentication).

In this workflow, you will complete the following tasks:

      1. In the Cylance console, you will
            a.  Generate a new SSO callback URL. 
            b.  Update your authentication policy.
      2. In the external IDP environment, update the Trusted URL with the SSO callback URL that was generated in the Cylance console.

Important: The claim names in the external IDP configuration and the Cylance Endpoint Security authenticator configuration must match the claim names to allow the management console to retrieve the users’ credentials. If they do not match, users cannot sign in to the management console.

In this example, we are configuring Active Directory Federation Services (ADFS) for SSO access to the Cylance console. ADFS uses “Relying Party Trusts” when it manages SAML integrations.

The following information will be recorded and must match between the Cylance console authenticator and ADFS environment.                 

Cylance console authenticator

External IDP console
SSO callback URL
The URL will be in the format of https://login.eid.blackberry.com/_/resume/saml20/<hash>

Trusted URL

 

The following tasks walk you through the steps to update your SSO callback URL and enable the IDP-initiated Proxy feature.

 

Placeholder

1. In the Cylance console, generate a new SSO Callback URL.

Use the copy option to copy your authenticator information and create the new SSO callback URL.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

  1. Open the Authenticators screen (Settings > Authentication).
  2. Click the current Custom SAML Authenticator (for example, Enhanced Authentication). 
  3. Click the Copy icon in the upper-right hand corner of the screen (See image to the left).
    When you click the copy button, the existing Authenticator heading changes from “Edit authenticator” to “Copy authenticator” and the current SSO callback URL field is removed.
  4. Update the name of the copied authenticator (for example, Enhanced Authentication – New SSO callback URL). Click Save.
  5. Open the Authenticator that you copied. Record the SSO callback URL. Verify that the SSO URL is in the format https://login.eid.blackberry.com/_/resume/saml20/<hash> (see image to the left).
    This URL will be added to the ADFS portal, Trusted URL field in a later step.
Placeholder

2. Update the Authentication policy with the new SSO callback URL.

Add the updated authenticator to your authentication policy. You can also add the updated authenticator to the default authentication policies for the console, CylancePROTECT Mobile app, or CylanceGATEWAY agent. 

Assign the policy to one administrator to verify the sign-in policy is functioning as expected. Only one policy type can be assigned to a user. You can then assign the authentication policy to your users.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

  1. On the menu bar, click Settings > User Policy.
  2. Click the Authentication tab.
  3. Click the policy that you created for the authenticator.
  4. In the Authenticator rules section, click Add Authenticator.
    In the Add authenticator dialog box, select the copied authenticator (Enhanced Authentication – New SSO callback URL) that you created in step 1 (see image to the left).
  5. Click Save.
  6. Delete the current SAML authenticator from the Authentication rules list.
  7. Click Save.
  8. Delete the previous Custom authenticator (for example, Enhanced Authentication). 
Placeholder

3. In the ADFS console, update the current Trusted URL intheRelying Party Trusts.

Update the current Trusted URL with the newly generated SSO callback URL to allow ADFS users to communicate with and access the Cylance console directly from the ADFS user’s portal.

In the image, the numbers correspond to the Step number in the procedure; not all steps are represented in the image. 

  1. Open the ADFS Management console.
  2. Click the Replying Party Trusts folder.
  3. Double-click the Relying Party Trusts that was created to communicate with Cylance Endpoint Security.
  4. On the Endpoint tab, update the SAML Assertion Consumer Endpoints.
      a  In the SAML Assertion Consumer Endpoints URL section, double-click the URL. 
      b. Verify the following (see the image to the left):
            •  Binding is set to POST.
            •  Index is set to 0. 
          c. In the Trusted URL field, delete the current URL and paste the SSO callback URL that was generated in the step 1 (see image to the left)
      d. Click OK.
      e. Click Apply.
  5. Assign users or groups to an application. When users or groups are assigned to an application, it will appear in the users’ ADFS user portal and allow the users to directly access the Cylance console using the assigned application. For more information on how to assign an application, see your external IDP documentation.
Placeholder

4. Verify that you can sign in to the Cylance console.

  1. Verify that you can sign out and sign in to the Cylance console. Sign out and sign in to the Cylance console from the sign-in page using the administrator account with the updated authentication policy in step 2 of this workflow and your ADFS credentials.

    Warning    : Make sure that you sign in to the Cylance console from the primary sign-in page using your ADFS credentials. If you test the sign in from the “Or sign in with your External Identity Provider” page and then Disable Custom Authentication, you may become locked out of the console.

  2. Verify that you can sign in to the Cylance console from the application that you assigned in step 3. If you cannot access the console from the application, visit support.blackberry.com/community to read article 114834.
Placeholder

5. That's it!

You have successfully enabled the IDP-initiated Proxy feature. 

Users can now sign-in to the Cylance console using one of the following methods:

  • Cylance console sign in: Go to the Cylance Console Sign-in page and sign in directly using your ADFS authentication (see image to the left).
  • IDP-initiated sign in: Sign in to your user’s portal and click the application that was created in step 3 to Single Sign-in to the Cylance console (see image to the left).

For more information about configuring external IDPs to communicate with the Cylance console and allowing users to sign in using single sign-on, see the Cylance Endpoint Security Setup Guide.