You can also migrate your custom authentication settings for the following external IDPs. For instructions, click your IDP:
You can configure the authenticator using one of the following two methods. BlackBerry recommends that you use the secure method to set up the authenticator for Cylance Endpoint Security. You can configure using the easy method first and switch to the secure method later, however, if you change the configuration method and you have configured your authenticator to require users to validate their email with a one-time code, users will need to validate again the next time that they sign in after the change.
Federated ID: The Federated ID is a unique value that is used to link the user in OneLogin and the Cylance console.
Email address: The Email address ensures the correct user is signing in to the management console. It is obtained from the “email” claim in the SAML response.
Important: The OneLogin IDP configuration and the Cylance Endpoint Security authenticator configuration must match the claim names to allow the management console to retrieve the users’ credentials. If they do not match, users cannot sign in to the management console.
The following tasks walk you through the Easy configuration method.
Note: OneLogin does not support multiple SSO URLS and the existing SAML application cannot be updated for the custom authentication integration. In your OneLogin administration console, you must create a new app with the new single sign-on URL for Cylance. Add https://idp.blackberry.com/_/resume
By default, the Cylance management console requires all SAML responses to include the user’s email addresses. Important: The email addresses in OneLogin must match the addresses that are registered in the Cylance management console.
In the image, the numbers correspond to the Step number in the procedure; not all steps are represented in the image.
1. Add a new SAML app. Complete the following steps:
a. In the OneLogin Administration console, from the Applications menu select Applications.
b. Click Add App.
c. On the Find Applications screen, search for and click SAML Custom Connector (Advanced).
d. Enter a name. Click Save
2. In the left menu, click Configuration (see image to the left).
3. Add the SSO URLs. Complete the following tasks (see image to the left):
a. In the ACS (Consumer) URL Validator* field, enter
https://idp.blackberry.com/_/resume
b. In the ACS (Consumer) URL* field, enter
https://idp.blackberry.com/_/resume
c. In the Single Logout URL field, enter
https://idp.blackberry.com/_/resume
4. In the SAML nameID format dropdown, enter and select Email (see image to the left).
5. In left menu, click Parameters.
6. Verify that the SAML Custom Connector (Advanced Field), NameID value displays Email.
7. In the left menu, click SSO. Complete the following steps:
a. Download or copy the X.509 Certificate. Click View Details and Download the X.509 Certificate. When you copy the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information. This is used as the IDP signing certificate in the Cylance management console.
b. Copy the SAML 2.0 Endpoint (HTTP) URL. This is used as the Login request URL value in the Cylance management console.
Create a policy that includes the required authenticators for your environment. You can create a user policy or add the authenticator to the default authentication policies for the console, CylancePROTECT Mobile app or CylanceGATEWAY agent. Assign the policy to one administrator to verify the sign in policy is functioning as expected. You can then assign the authentication policy to your users.
In the image, the numbers correspond to the Step number in the procedure; not all steps are represented in the image.
a. In the Assign the authentication policy dialog box, click Yes.
b. Click Add User or Group.
c. Start typing a name to search for the user that you want to add.
d. Select the user from the search results.
e. Click Add.
f. Log out of the console, or open an In Private window and access the Console log in page
g. Enter the email address of the administrator to which you assigned the authentication policy above and click Sign In.
h. When prompted, enter your credentials from OneLogin.
i. Complete the sign in with your OneLogin credentials and verify that the administrator can successfully sign in to the Cylance console.
For more information on additional authentication policy settings, see Create an authentication policy.
Optionally, it is recommended that you create a user policy (User policy > Authentication) that requires only a Cylance console password and assign it to one or more designated administrators. You should use a strong password for the user policy. You can use this policy as a failsafe while you migrate OneLogin to an authenticator.
You have successfully configured an OneLogin SAML authenticator based on the existing custom authentication and assigned the authentication policy to users and groups.
Users can now sign-in to the Cylance console using their OneLogin credentials from the sign-in page.
After you have verified that you can sign in to the Cylance console from the primary login page using your OneLogin credentials, you can go to Settings > Application and clear the Custom Authentication check box.
Sign out and sign in to the Cylance console from the sign-in page using the administrator account with the new authentication policy that was applied in step 3 of this workflow and your OneLogin credentials.
Warning: Make sure that you sign in to the Cylance console from the primary sign-in page using you external IDP credentials. If you test the sign in from the “Or sign in with your External Identity Provider” page and then Disable Custom Authentication, you may become locked out of the console.
BlackBerry recommends you secure the Administrator account that you created with the password-only policy by assigning the OneLogin policy or changing the password-only policy to add an OTP code for better security.
BlackBerry recommends that you use the secure method to set up the authenticator for Cylance Endpoint Security. For more information about migration your custom authentication settings to an authenticator using the secure method, see the BlackBerry UES Setup Guide.