Configure your Entra Authenticator for enhanced authentication

1. In the Entra portal, create a new application.

In your Microsoft Entra portal, create an application that will be used to communicate with the Cylance console. 

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. In the Entra portal, open Enterprise Applications.
2. Click New application > Create your own application.
3. In the Create your own application screen, type a name for the application (for example, CylanceEnhancedAuth_Example).
   
   Important: If the CylancePROTECT application is displayed and recommended, do not select it. The application provides steps to configure the legacy Custom Authentication which has been deprecated.
   
   
4. Select Integrate any other application you don't find in the gallery (Non-gallery).
5. Click Create.

2. Configure Entra to communicate with Cylance Endpoint Security.

The Cylance management console requires all SAML responses to include the user’s email addresses. Important: The email addresses in Entra must match the addresses that are registered in the Cylance management console. 

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. In the CylanceEnhancedAuth_Example Overview screen, in the Getting Started section, under Set up single sign on, click Get Started.

2. On the Single sign-on screen, click SAML.

3. On the SAML-based Sign-on screen, configure the Basic SAML Configuration.

a. In the Basic SAML Configuration section, click Edit.

b. In the Identifier (Entity ID) field, click Add identifier and type a unique identifier name (for example, CylanceEnhancedAuth).  Record the Identifier (Entity ID). It will be used in the Cylance console, Authenticator configuration “SP Entity ID” field to verify the entity ID in the next step (see image to the left).

c. In the Reply URL (Assertion Consumer Service URL) section, click Add reply URL and enter the placeholder URL, https://ChangeMe.Cylance.com. You can leave the Index blank.  
The Single Sign-on URL or “SSO callback URL” will be generated in the Cylance console when you add the authenticator in the next step.   

This URL will be updated in a later step. Important: If you do not update the URL, the browser will display an error indicating that the server's IP address could not be found.

d. Click Save. If you are prompted to test the application, click No, I’ll test later.

4. Verify the Attributes & Claims. The SAML response generated by Entra must contain the same email address that is registered with the Cylance console.  If necessary, you can update an existing claim or create a new claim. For more information on the SAML claims, see https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization.

5. In the Set up CylanceEnhancedAuth_Example section, record the Login URL (see image to the left). The Login URL will be used in the Cylance console, Authenticator configuration “Login Request URL” field in the next step.

6. Verify that you have assigned the application to one or more users or groups. The application must be assigned to a user to perform the Test in the next step. For instructions, see Assign users and groups to an application. The application that you created in step 1 must be assigned to a user to verify the application and Attributes & Claims.

7.  Click Test to validate that the SAML response includes the correct email address and that single sign-on is functioning as expected.

• If the test is successful, expand the claims and record the Claim ID which includes the value of the email address that is registered with Cylance Endpoint Security (for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress). The Claim ID will be used in the Cylance console, Authenticator configuration “Email Claim” field in the next step.
  
• If the test fails, follow the onscreen prompts. Complete one of the following:
  

·  Verify that you are using an email address that is assigned to the application that was created in step 1. For example, if you are logged in to Entra using User1@example.com, but the application is assigned to User2@example.com the test will fail. See your Entra documentation on how to assign the application to a user. 

·  If the Response fails, verify that you have the correct email address and modify the Attributes & Claims as necessary.

·  Contact Microsoft to troubleshoot your environment.

8.  Download a copy of the Base-64 encoded X.509 SAML Signing Certificate. In the SAML Certificates section, beside Certificate (Base64), click Download. This will be used in the Cylance console, Authenticator configuration “IDP signing certificate” field to verify the certificate in the Authenticator configuration in the next step.

3. In the Cylance console, add the Authenticator.

The Single Sign-on URL or SSO Callback URL is generated when you add the authenticator. 

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. On the menu bar, click Settings > Authentication.
2. Click Add Authenticator.
3. In the Authenticator Type drop-down list, select Entra (SAML).
4. Enter a name for the authenticator (for example. EnhanceAuthentication).
5. Optionally, if you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required. The code is sent to the email address that is associated with the user in your tenant.
6. In the Login request URL field, enter the “Login URL” that you recorded in the Entra portal “SAML-based Sign-on” screen in step 2. For example, in the Entra Portal, go to Enterprise Application > CylanceEnhancedAuth_Example > Setting up CylanceEnhancedAuth_Example section > Login URL.
7. In the IDP signing certificate field, paste the “Base-64 encoded X.509 SAML Signing Certificate” that you downloaded form the Entra portal. When you paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information (see image to the left). 
8. In the SP Entity ID field, type the “Identifier (Entity ID)” that you recorded in the Entra portal in step 2. This field is required, and the value that you enter must match.
9. Enable Show Advanced settings, in the Email claim field, past the value from the “Claim Name” that you recorded in the Entra portal in step (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
10. Click Save.
11. Open the Authenticator that you added. Copy the SSO callback URL. This URL will be added to the Entra portal, Reply URL (Assertion Consumer URL) field in a later step. 

4. Create an authentication policy and assign it to users and groups.

Create a policy that includes the required authenticator for your environment. You can create a user policy or add the authenticator to the default authentication policies for the console, CylancePROTECT Mobile app, or CylanceGATEWAY agent. Assign the policy to one administrator to verify the sign-in policy is functioning as expected. Only one policy type can be assigned to a user. You can then assign the authentication policy to your users.

1. On the menu bar, click Settings > User Policy.
2. Click the Authentication tab.
3. Click Add Policy.
4. Enter a name and description for the policy (for example, Enhanced Authentication Policy).
5. In the Authenticator rules section, click Add Authenticator. In the Add authenticator dialog box, select the “Enhanced Authentication” authenticator that you created in the last step.
6. To create the authentication policy, click Save.
7. Assign the policy to one administrator and then verify that the sign in is working as expected. Complete the following steps:

a. In the Assign the authentication policy dialog box, click Yes.

b. Click Add User or Group.

c. Start typing a name to search for the user that you want to add.

d. Select the user from the search results.

e. Click Add. If you are migrating from Custom Authentication, select the Allow Password Login checkbox. This option allows you to log in to the console directly and use SSO. Enable this option to test your SSO settings without being locked out of the console.

f. Sign out of the console and access the console sign-in page.

g. Enter the email address of the administrator to which you assigned the authentication policy above and click Sign In.

h. When prompted, enter your credentials from Entra.

i. Complete the sign in with your Entra credentials and verify that the administrator can successfully sign in to the Cylance console.

For more information on additional authentication policy settings, see Create an authentication policy.

Optionally, it is recommended that you create a user policy (User policy > Authentication) that requires only a Cylance console password and assign it to one or more designated administrators. You should use a strong password for the user policy. You can use this policy as a failsafe while you configure Entra to an authenticator.

5. In the Entra portal, update the placeholder information in the Basic SAML configurations.

Replace the placeholder information to allow Entra to communicate with Cylance Endpoint Security.

1. Open the Basic SAML Configuration that you created.
2. In the Reply URL (Assertion Consumer Service URL) field, delete the placeholder URL and paste the SSO callback URL that was generated when you added the authenticator.
   If you have more than one Reply URL, must make sure that the Reply URL which includes the SSO callback URL is set as Primary. If the incorrect reply to URL is used, users will be unable to sign in to the Cylance console. 

That’s it!

You have successfully configured an Entra SAML authenticator and assigned the authentication policy to users and groups. 

Users can now sign-in to the Cylance console using one of the following methods: 

• Cylance console sign in: Go to the Cylance Console Sign-in page and sign in directly using your Entra ID authentication (see image to the left).
• IDP-initiated sign in: Sign in to your portal and click the CylanceEnhancedAuth_Example app that was created in step 1 to Single Sign-in to the Cylance console (see image to the left).

Next steps: Disable Custom Authentication and assign the policy as necessary

After you have verified that you can sign in to the Cylance console from the primary login page using your IDP credentials, you can go to Settings > Application and clear the Custom Authentication check box.

Sign out and sign in to the Cylance console from the sign-in page using the administrator account with the new authentication policy that was applied in step 3 of this workflow and your IDP credentials.

Warning: Make sure that you sign in to the Cylance console from the primary sign-in page using your Entra credentials. If you test the sign in from the “Or sign in with your External Identity Provider” page and then Disable Custom Authentication, you may become locked out of the console.