Configure your OneLogin (SAML) Authenticator for Enhanced Authentication

1. In the OneLogin console, create a new application.

In your OneLogin console, create an application that will be used to communicate with the Cylance console.

Note: OneLogin does not support multiple single sign-on URLS and the existing SAML application cannot be updated for tenhanced authentication integration. If you have an existing app configured to use single single sign-on in your your OneLogin administration console, you must create a new app with the new single sign-on URL for Cylance that is generated when you add the authenticator in the Cylance console in the next step.

1. In the OneLogin console, in the menu, click Applications.
   
2. Click Add application.
3. In the Search field, type SAML Custom Connector. Click Enter.
4. Click the SAML Custom Connector (Advanced) app (see image to the left).
5. In the Add SAML Custom Connector (Advanced) screen, type a name for the application (for example, CylanceEnhancedAuth_Example).
6. Click Save.

2. Configure OneLogin to communicate with Cylance Endpoint Security.

The Cylance management console requires all SAML responses to include the user’s email addresses. Important: The email addresses in OneLogin must match the addresses that are registered in the Cylance management console. 

The Cylance management console requires all SAML responses to include the user’s email addresses. Important: The email addresses in OneLogin must match the addresses that are registered in the Cylance management console. The Email address ensures the correct user is signing in to the management console. It is obtained from the “email” claim in the SAML response.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. In the SAML Custom Connector Info screen, on the left menu bar, click Configuration (see image to the left).
2. Add the SSO URLs to the following fields. Enter the following placeholder URL: https://ChangeMe.Cylance.com (see image to the left).
This URL will be updated in a later step. Important: If you do not update the URL, the browser will display an error indicating that the server's IP address could not be found.
The Single Sign-on URL or “SSO callback URL” will be generated in the Cylance console when you add the authenticator in the next step.  

• ACS (Consumer) URL Validator*
• ACS (Consumer) URL*
• Single Logout URL

3. In the SAML nameID format dropdown, enter and select Email (see image to the left).
4. In the left menu bar, click Parameters (see image to the left).
5. Verify that the SAML Custom Connector (Advanced Field) value displays Email.
6. On the left menu bar, click SSO. Complete the following steps:
             a. Download or copy the X.509 Certificate. Click View Details.
             b. In the X.509 Certificate section, click Download.

When you copy the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. This is used as the IDP signing certificate in the Cylance management console. 
c. Copy the SAML 2.0 Endpoint (HTTP) URL. This is used as the “Login request URL” value in the Cylance console.
d. Copy the Issuer URL. This is used as the “SP entity ID” in the Cylance console. 

3. In the Cylance console, add the Authenticator.

The Single Sign-on URL or SSO Callback URL is generated when you add the authenticator.

In the image, the numbers correspond to the step number in the procedure; not all steps are represented in the image.

1. Sign in to the Cylance console.
2. On the menu bar, click Settings > Authentication.
3. Click Add Authenticator.
4. In the Authenticator Type drop-down list, select OneLogin (SAML).
5. Enter a name for the authenticator (for example. EnhanceAuthentication).
6. Optionally, if you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required. The code is sent to the email address that is associated with the user in your tenant.
7.  In the Login request URL field, enter the “SAML 2.0 Endpoint (HTTP) URL” that you recorded in the OneLogin console “SSO” screen in step 2. For example, in the OneLogin console, SSO screen in the previous go to Application > CylanceEnhancedAuth_Example > SSO.
8.  In the IDP signing certificate field, paste the “Base-64 encoded X.509 SAML Signing Certificate” that you downloaded from the OneLogin console. When you paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information (see image to the left).
9. In the SP Entity ID field, type the “Identifier (Entity ID)” that you recorded in the OneLogin console in step 2. This field is required, and the value that you enter must match.
10. Click Save.
11. Open the Authenticator that you added. Copy the Single Sign On URL. This URL will be added to the following fields in the OneLogin console, Configuration screen in a later step:
             • ACS (Consumer) URL Validator*  
             • ACS (Consume) URL*    
             • Single Logout URL 

4. Create an authentication policy and assign it to users and groups.

Create a policy that includes the required authenticator for your environment. You can create a user policy or add the authenticator to the default authentication policies for the console, CylancePROTECT Mobile app, or CylanceGATEWAY agent. Assign the policy to one administrator to verify the sign-in policy is functioning as expected. Only one policy type can be assigned to a user. You can then assign the authentication policy to your users.

1. On the menu bar, click Settings > User Policy.
2. Click the Authentication tab.
3. Click Add Policy.
4. Enter a name and description for the policy (for example, Enhanced Authentication Policy).
5. In the Authenticator rules section, click Add Authenticator. In the Add authenticator dialog box, select the “Enhanced Authentication” authenticator that you created in the last step.
6. To create the authentication policy, click Save.
7. Assign the policy to one administrator and then verify that the sign in is working as expected. Complete the following steps:
         a. In the Assign the authentication policy dialog box, click Yes.
         b. Click Add User or Group.
         c. Start typing a name to search for the user that you want to add.
         d. Select the user from the search results.
         e. Click Add. 
         f. Sign out of the console and access the console sign-in page.
         g. Enter the email address of the administrator to which you assigned the authentication policy above and click Sign In.
         h. When prompted, enter your credentials from OneLogin.
          i. Complete the sign in with your OneLogin credentials and verify that the administrator can successfully sign in to the Cylance console.

For more information on additional authentication policy settings, see Create an authentication policy.

Optionally, it is recommended that you create a user policy (User policy > Authentication) that requires only a Cylance console password and assign it to one or more designated administrators. You should use a strong password for the user policy. You can use this policy as a failsafe while you configure OneLogin to an authenticator.

5. In the OneLogin console, update the placeholder information in the SAML Custom Connector (Advanced), Configuration.

Replace the placeholder information to allow OneLogin to communicate with Cylance Endpoint Security.

1. Open the SAML Custom Connector (Advanced) app (For example, CylanceEnhancedAuth_Example) that you created in step 1.
2. On the left menu bar, click Configuration (see image to the left).
3.  In the following fields, delete the current URL and paste the Single Sign On URL that was generated in step 3 when you added the authenticator in the previous step (see image to the left).
          • ACS (Consumer) URL Validator*
          • ACS (Consume) URL*
          • Single Logout URL
4. Click Save.

6. That’s it!

You have successfully configured a OneLogin SAML authenticator and assigned the authentication policy to users and groups. 

Users can now sign-in to the Cylance console using one of the following methods:

• Cylance console sign in: Go to the Cylance Console Sign-in page and sign in directly using your OneLogin authentication (see image to the left).
• IDP-initiated sign in: Sign in to your console and click the CylanceEnhancedAuth_Example app that was created in step 1 to Single Sign-in to the Cylance console (see image to the left).
  

Next steps: Disable Custom Authentication and assign the policy as necessary

After you have verified that you can sign in to the Cylance console from the primary login page using your IDP credentials, you can go to Settings > Application and clear the Custom Authentication check box.

Sign out and sign in to the Cylance console from the sign-in page using the administrator account with the new authentication policy that was applied in step 3 of this workflow and your IDP credentials.

Warning: Make sure that you sign in to the Cylance console from the primary sign-in page using your OneLogin credentials. If you test the sign in from the “Or sign in with your External Identity Provider” page and then Disable Custom Authentication, you may become locked out of the console.

If necessary, assign the authentication policy to your tenant or users and groups as necessary.