Configure your Okta (SAML) Authenticator for Enhanced Authentication

1. In the Okta portal, create a new application.

In your Okta portal, create an application that will be used to communicate with the Cylance console.

1. In the Okta administration console, on the menu bar, click Applications > Applications (see image to the left).
2. Click Create App Integration.
3. Select SAML 2.0.
4. Type a name for your application. In this example, we will use the name CylanceEnhancedAuth_Example (see image to the left).
5. Click Next (see image to the left).

2. Configure Okta to communicate with Cylance Endpoint Security.

The Cylance management console requires all SAML responses to include the user’s email addresses. Important: The email addresses in Okta must match the addresses that are registered in the Cylance console. 

The Email address ensures the correct user is signing in to the management console. It is obtained from the “email” claim in the SAML response.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. In the Single sign-on URL field, enter the placeholder URL, https://ChangeMe.Cylance.com (see image to the left).

The Single Sign-on URL or “SSO callback URL” will be generated in the Cylance console when you add the authenticator in the next step.  This URL will be updated in a later step. Important: If you do not update the URL, the browser will display an error indicating that the server's IP address could not be found.

2. In the Audience URI (SP Entity ID) field, specify a string to identify the application (for example okta.example.com). The value can be any string. Make sure it is unique and persistent to avoid any issues if your organization changes topologies or service providers.

This value will be used in the Cylance console for the SP Entity ID in the authenticator configuration in the next step. If the Audience URI (SP Entity ID) and SP Entity ID do not match, the authentication request fails (see image to the left).

3. In the Name ID format field, click the dropdown and select Persistent. This value will be used in the Cylance console for the “Name ID format” in a later step.

4. In the Application username field, click the dropdown and select Custom and in the custom rule field, enter user.getInternalProperty("id").

5. If necessary, a new single sign-on URL to the list as a secondary option. In the Other Requestable SSO URLs, URL field, enter the placeholder  https://idp.blackberry.com/_/resume and leave the Index at 0 (see the image to the left). BlackBerry does not send an index.

6. Click Show Advanced Settings.

7.  In the Attribute Statements section, complete the following steps:

a. In the Name field, type Email. In the Value field, type user.email.

b. Click Add another.

c. In the Name field, type adGUID. In the Value field, type findDirectoryUser().externalId.

8. Click Next.

9. Follow the onscreen prompts. Click Finish.

10. Click View SAML setup instructions, and complete the following:

• Copy the Identity Provider Single Sign-On URL. This will be used as the “Login Request URL” in the Cylance console.

• Copy the Identity Provider Issuer. This value will be use as the IDP Entity ID in the Cylance console.

• Download a copy of the SAML signing certificate. In the X.509 Certificate section, click Download certificate. In an editor, open the file and copy the body of the signing certificate including the Begin Certificate and End Certificate lines. When you copy the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. This is used as the IDP signing certificate in the Cylance management console.

3. In the Cylance console, add the Authenticator.

The Single Sign-on URL or SSO Callback URL is generated when you add the authenticator.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. Sign in to the Cylance console.

2. On the menu bar, click Settings > Authentication.

3. Click Add Authenticator.

4. In the Authenticator Type drop-down list, select Okta (SAML) (see image to the left).

5. Enter a name for the authenticator (for example. Enhance Authentication) (see image to the left).

6. Optionally, if you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required. The code is sent to the email address that is associated with the user in your tenant (see image to the left).

7.  In the Login request URL field, enter the “Identity Provider Single Sign-On URL” that you recorded in step 2 (see image to the left). 

8.  In the IDP signing certificate field, paste the “Signing Certificate” that you downloaded from the Okta portal in step 2. When you paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information (see image to the left).

9.  In the SP Entity ID field, type the “Audience URI (SP Entity ID)” that you recorded in the Okta portal in step 2. This field is required, and the value that you enter must match (see image to the left).

10. In the IDP entity ID field, paste the IdentityProvider Issuer that you copied in the previous step (see image to the left).

11. In the Name ID format field, select the NameID format that you specified in the Okta console step 2 (for example, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent) (see image to the left).

12. In the Email Claim field, type Email. This must match the “Attribute” name that you configured in the Okta console in step 2. The Email address ensures the correct user is signing in to the management console.

13. Click Save.

14. Open the Authenticator that you added. Copy the Single Sign On URL. This URL will be added to the following fields in the Okta console, SAML Settings screen in a later step:
      • Single Sign On URL
      • Requestable SSO URLs

4. Create an authentication policy and assign it to users and groups.

Create a policy that includes the required authenticator for your environment. You can create a user policy or add the authenticator to the default authentication policies for the console, CylancePROTECT Mobile app, or CylanceGATEWAY agent. Assign the policy to one administrator to verify the sign-in policy is functioning as expected. Only one policy type can be assigned to a user. You can then assign the authentication policy to your users.

1. On the menu bar, click Settings > User Policy.
2. Click the Authentication tab.
3. Click Add Policy.
4. Enter a name and description for the policy (for example, Enhanced Authentication Policy).
5. In the Authenticator rules section, click Add Authenticator. In the Add authenticator dialog box, select the “Enhanced Authentication” authenticator that you created in the last step.
6. To create the authentication policy, click Save.
7. Assign the policy to one administrator and then verify that the sign in is working as expected. Complete the following steps:

a. In the Assign the authentication policy dialog box, click Yes.

b. Click Add User or Group.

c. Start typing a name to search for the user that you want to add.

d. Select the user from the search results.

e. Click Add.

f. Sign out of the console and access the console sign-in page.

g. Enter the email address of the administrator to which you assigned the authentication policy above and click Sign In.

h. When prompted, enter your credentials from Okta.

i. Complete the sign in with your Okta credentials and verify that the administrator can successfully sign in to the Cylance console.

For more information on additional authentication policy settings, see Create an authentication policy.

Optionally, it is recommended that you create a user policy (User policy > Authentication) that requires only a Cylance console password and assign it to one or more designated administrators. You should use a strong password for the user policy. You can use this policy as a failsafe while you configure Okta to an authenticator.

5. In the Okta console, update the placeholder information in the SAML Custom Connector (Advanced), Configurations.

Replace the placeholder information to allow Okta to communicate with Cylance Endpoint Security.

1. Open the SAML app (for example, CylanceEnhancedAuth_Example) that you created in step 1.
   
2. Click the General tab.
3. In the SAML Setting section, click Edit.
4. Click Next.
5. In the Single Sign On URL field, delete the current URL and paste the URL that was generated when you added the authenticator in the step 3 (see image to the left).
    • Single sign-on URL
    • Other Requestable SSO URLs
   
6. Click Continue to Next Step twice.
7. Click Finish.

That’s it!

You have successfully configured an Okta SAML authenticator and assigned the authentication policy to users and groups. 

Users can now sign-in to the Cylance console using one of the following methods:

• Cylance console sign in: Go to the Cylance Console Sign-in page and sign in directly using your Okta authentication (see image to the left).

• IDP-initiated sign in: Sign in to your portal and click the CylanceEnhancedAuth_Example app that was created in step 1 to Single Sign-in to the Cylance console (see image to the left).

Next steps: Disable Custom Authentication and assign the policy as necessary

After you have verified that you can sign in to the Cylance console from the primary login page using your IDP credentials, you can go to Settings > Application and clear the Custom Authentication check box.

Sign out and sign in to the Cylance console from the sign-in page using the administrator account with the new authentication policy that was applied in step 3 of this workflow and your IDP credentials.

Warning: Make sure that you sign in to the Cylance console from the primary sign-in page using your Okta credentials. If you test the sign in from the “Or sign in with your External Identity Provider” page and then Disable Custom Authentication, you may become locked out of the console.

If necessary, assign the authentication policy to your tenant or users and groups as necessary.