Skip Navigation

Configure an external IDP (SAML) Authenticator for Enhanced Authentication

Five simple steps to configure your external (SAML) authenticator to provide administrators with SSO access to the Cylance console.

You can configure the authenticator using one of the following two methods. BlackBerry recommends that you use the secure method to set up the authenticator for Cylance Endpoint Security. You can configure using the easy method first and switch to the secure method later. However, if you change the configuration method and you have configured your authenticator to require users to validate their email with a one-time code, users will need to validate again the next time that they sign in after the change.

• Easy: This configuration method uses the email address for both identifiers (Federated ID and email address) and is the same configuration that is used by the Legacy method. In this method, the email address is used as an identifier, but has some risk because the email address can be changed for a user, which can cause the authentication to fail.
• Secure: This configuration method provides enhanced security and more options to secure users’ sign-in to the management console. This method requires additional time to set up and uses the following two values to identify users:
      Federated ID: The Federated ID is a unique value that is used to link the user in the IDP and the management console.
      Email address: The Email address ensures the correct user is signing in to the management console. It is obtained from the “email” claim in the SAML response.

If you have configured your environment with enhanced authentication, no additional action is required.

If you need to configure your external IDP environment for enhanced authentication or want to use the IDP-initiated Proxy feature which allows you to use single sign-on (SSO) to access the Cylance Console after logging into the external IDP, you must complete the following steps:

   1. In the external IDP environment, complete the following:
        a. Create a new application.
        b. Configure external IDP to communicate with Cylance Endpoint Security.
   2. In the Cylance console, completer the following:
       a. Add a new authenticator.
       b. Add an authentication policy.
       c. Assign the authentication policy to users.
    3. In the external IDP environment, update the Trust URL for the endpoint with the Single sign-on or SSO Callback URL that you generated in the Cylance console.

This workflow provides an example of how you might configure your external IDP environment to communicate with the Cylance console and allow users to sign in to the console using single sign on.

Important: The external IDP configuration and the Cylance Endpoint Security authenticator configuration must match the claim names to allow the management console to retrieve the users’ credentials. If they do not match, users cannot sign in to the management console.

In this example, we are configuring the Active Directory Federation Services (ADFS). ADFS uses “Relying Party Trusts” when it manages SAML integrations.

In this configuration, you will be required to record information in the external IDP console that is required in the Cylance console to allow the external IDP to communicate with Cylance Endpoint Security. The following table lists the settings that you will record from the external IDP console and the corresponding setting in the Cylance Console. 

The following information will be recorded and must match between the Cylance console authenticator and external IDP environment, respectively.  

 

Cylance console authenticator

External IDP console

Single Sign On or SSO Callback URL
This URL is generated when the Authenticator is added and is in the format of <IDP>/_/resume/saml20/<hash>

Trusted URL

Login Request URL

Replying party SAML 2.0 SSO service URL

SP Entity ID

Relying party identifier

Email Claim

Claim Issuance Policy

IDP signing certificate

IDP signing certificate                         

 

The following tasks walk you through the Easy configuration method.

Placeholder

1. In the external IDP console, create a Relying Party Trust.

In your external IDP console, create an application that will be used to communicate with the Cylance console.
• If you have an existing application, you must add a new single sign-on URL to the existing Application. 
• If your IDP does not support multiple single sign-on URLs, you must create a new application.

In this example, we are adding a new claims aware Relying Party Trust configuration in Active Directory Federation Services (ADFS).

In the image, the numbers correspond to the Step number in the procedure; not all steps are represented in the image. 

1.  In the external IDP management console, open the ADFS Management console.
2. In the left menu bar, right-click Relying Party Trusts > Add Replying Party Trust. Follow the onscreen steps.
3.  Select the following settings on the appropriate screen:
     • Welcome screen: Select Claims aware.
     • Select Data Source: Select Enter data about the replying party manually.
     • Specify Display name: Enter a name for the Reply Party Trusts (for example, Cylance Enhanced Authentication - SSO).
     • Configure Certificate screen: Optionally, specify a token encryption certificate.
     • Configure URL screen: Select the Enable support for the SAML 2.0 WebSSO protocol checkbox. In the Replying party SAML 2.0 SSO service URL field, enter the placeholder URL, https://ChangeMe.Cylance.com (see image to the left).
      This URL will be updated in a later step. Important: If you do not update the URL, the browser will display an error indicating that the server's IP address could not be found.
      The Single Sign-on URL or “SSO callback URL” will be generated in the Cylance console when you add the authenticator in a later step. 
    • Configure Identifiers screen: In the Relying party trust identifier field, enter a value. The value can be any string (for example, Enhanced Authentication – SSO). This will be entered in the SP Entity ID field when you add the Authenticator in the next step. This is used as the “SP entity ID” in the Cylance console.
    • Choose Access Control Policy screen: If necessary, change the access level.
    • Ready to Add Trust screen: No action is required. The Endpoints URL is created by default. It will be updated at a later step.  
4. Click Finish.

Placeholder

2. Configure the external IDP to communicate with Cylance Endpoint Security.

The Cylance management console requires all SAML responses to include the user’s email addresses. Important: The email addresses in the external IDP must match the addresses that are registered in the Cylance console. The Email address ensures the correct user is signing in to the management console. It is obtained from the “email” claim in the SAML response.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. In the IDP management console, record Login Request URL. This is the Login URL for your IDP.  The name of this attribute may vary for different IDPs. This will be used to verify the Login Request URL in the Authenticator configuration in the next step. For more information on the Identity provider-initiated sign in, see your ADFS documentation.
2. Download the IDP Signing certificate. Click ADFS > Service > Certificate folder, then right-click the primary token-signing certificate > View certificate and on the Details tab, click Copy to File. Complete the on-screen steps. Make sure that you expert the certificate as a Base-64 encoded X.509 (.CER) file format. This certificate will be added to “IDP signing certificate” field when you add the Authenticator in the next step.
3. Configure the Attributes & Claims to map the User ID to the email address in your IDP settings. Right-click the Relying Party Trust that you created in step 1 > Edit Claim Issuance Policy.
Cylance custom authentication uses the user’s email address as the User ID. Some IDPs use username as the User ID. In this example, you will add the required rules. Follow the on-screen steps and add the following rules (see image to the left). 
   Rule 1
    • Claim rule template: Send LDAP Attributes as Claims
    • Attribute store: Active Directory
    • LDAP Attribute: E-Mail-Addresses
    • Outgoing Claim Type: E-Mail Address

   Rule 2
    • Claim rule template: Transform an Incoming Claim
    • Incoming claim type: E-Mail Address
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Email

For more information, visit https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-rule-to-transform-an-incoming-claim.

Placeholder

3. In the Cylance console, add the Authenticator.

The Single Sign-on URL or SSO Callback URL is generated when you add the authenticator.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

  1. Sign in to the Cylance console.
  2. On the menu bar, click Settings > Authentication.
  3. Click Add Authenticator.
  4. In the Authenticator Type drop-down list, select Custom (SAML) (see image to the left).
  5. Enter a name for the authenticator (for example. Enhance Authentication – Custom - SSO) (see image to the left).
  6. Optionally, if you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required. The code is sent to the email address that is associated with the user in your tenant (see image to the left).
  7. In the Login request URL field, enter the “Login Request URL” that you recorded in step 2 (see image to the left). 
  8. In the IDP signing certificate field, paste the “Signing Certificate” that you downloaded from the IDP console in step 2. When you paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information (see image to the left).
  9.  In the SP Entity ID field, type the “Audience URI (SP Entity ID)” that you recorded in the IDP portal in step 2. This field is required, and the value that you enter must match (see image to the left).
 10. In the Name ID format field, specify the name identifier format to request from the IDP (see image to the left). In this example, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
 11. In the Email claim field, type NameID. This must match the “NameID Format” that you specified in the IDP console. The Email address ensures the correct user is signing in to the management console (see image to the left).
 12. Click Save.
 13.Open the Authenticator that you added. Copy the Single Sign On URL. This URL will be added to the Relying Party Trust > EndPoints tab in a later step.

Placeholder

4. Create an authentication policy and assign it to users and groups.

Create a policy that includes the required authenticator for your environment. You can create a user policy or add the authenticator to the default authentication policies for the console, CylancePROTECT Mobile app, or CylanceGATEWAY agent. Assign the policy to one administrator to verify the sign-in policy is functioning as expected. Only one policy type can be assigned to a user. You can then assign the authentication policy to your users.

  1. On the menu bar, click Settings > User Policy.
  2. Click the Authentication tab.
  3. Click Add Policy.
  4. Enter a name and description for the policy (for example, Enhanced Authentication Policy).
  5. In the Authenticator rules section, click Add Authenticator. In the Add authenticator dialog box, select the “Enhanced Authentication” authenticator that you created in the last step.
  6. To create the authentication policy, click Save. 
  7. Assign the policy to one administrator and then verify that the sign in is working as expected. Complete the following steps:
      a. In the Assign the authentication policy dialog box, click Yes.
      b. Click Add User or Group.
      c. Start typing a name to search for the user that you want to add.
      d. Select the user from the search results.
      e. Click Add.
      f. Sign out of the console and access the console sign-in page.
      g. Enter the email address of the administrator to which you assigned the authentication policy above and click Sign In.
      h. When prompted, enter your credentials from for the IDP.
      i. Complete the sign in with your IDP credentials and verify that the administrator can successfully sign in to the Cylance console.

For more information on additional authentication policy settings, see Create an authentication policy.

Optionally, it is recommended that you create a user policy (User policy > Authentication) that requires only a Cylance console password and assign it to one or more designated administrators. You should use a strong password for the user policy. You can use this policy as a failsafe while you configure the IDP to an authenticator.

Placeholder

5. In the IDP console, update the placeholder information in the Relying Party Trusts.

Replace the placeholder information to allow the external IDP to communicate with Cylance Endpoint Security.

  1. Open the Relying Party Trust (For example, Cylance Enhanced Authentication) that you created in step 1.
  2. Update the SAML Assertion Consumer Endpoints.
      a. Click the Endpoints tab.
      b. Double-click the SAML Assertion Consumer Endpoints URL.
      c. Verify the Binding is set to POST (see the image to the left).
      d. Verify that the Index is set to 0 (see the image to the left).
      e. In the Trusted URL field, delete the current URL and paste the Single Sign On URL that was generated when you added the authenticator in the step 3 (see image to the left).
      f. Click OK

Placeholder

That's it!

You have successfully configured an IDP SAML authenticator and assigned the authentication policy to users and groups. 

Users can now sign-in to the Cylance console using one of the following methods:

• Cylance console sign in: Go to the Cylance Console Sign-in page and sign in directly using your IDP authentication (see image to the left).
• IDP-initiated sign in: Sign in to your portal and click the CylanceEnhancedAuth_Example app that was created in step 1 to Single Sign-in to the Cylance console (see image to the left).

Placeholder

Next steps: Disable Custom Authentication and assign the policy as necessary

After you have verified that you can sign in to the Cylance console from the primary login page using your IDP credentials, you can go to Settings > Application and clear the Custom Authentication check box.

Sign out and sign in to the Cylance console from the sign-in page using the administrator account with the new authentication policy that was applied in step 3 of this workflow and your IDP credentials.

Warning: Make sure that you sign in to the Cylance console from the primary sign-in page using your IDP credentials. If you test the sign in from the “Or sign in with your External Identity Provider” page and then Disable Custom Authentication, you may become locked out of the console.

If necessary, assign the authentication policy to your tenant or users and groups as necessary. 

For more information about configuring IDPs to communicate with the Cylance console and allowing users to sign in using single sign-on, see the Cylance Endpoint Security Setup Guide.