Add an authenticator
You add authenticators so that you can add them to authentication policies. An authenticator typically defines one authentication method, such as a password (for example, a
Cylance
console password) or a connection to a third-party for authentication like Active
Directory
, Okta
, or Ping Identity
. You add them to authentication policies to specify the types of authentication that administrators must complete to sign in to the Cylance
console and users must complete to activate Cylance Endpoint Security
apps or agents (for example, the CylancePROTECT Mobile
app or CylanceGATEWAY
). You can combine multiple authenticators in an authentication policy to provide multiple authentication steps. For example, you can combine the Enterprise authenticator with a one-time password prompt in a policy to require users to authenticate with both their work or Cylance
console password and a one-time password.- Verify that you have reviewed and completed the appropriate steps for Enhanced authentication sign in to theCylanceconsole before you configure your IDP SAML authenticator. If the required steps are not completed, the third-party authenticator will be unable to communicate with Cylance Endpoint Security. For more information, see the following:
- For steps to configure an IDP for enhanced authentication and IDP-initiated access to theCylanceconsole, see Enhanced authentication sign in.
- For a walkthrough of the steps to configure a new IDP SAML, see How do I configure IDP SAMLs for enhanced authentication and IDP-initiated access to theCylanceconsole.
- For a walkthrough of the steps to enable IDP-initiated access to the console for an existing IDP SAML that was created before December 2023, see How do I update external IDP (SAML) authenticators for SSO to access the Cylance console.
- If you add a SAML authenticator, download a copy of the signing certificate for your IDP.
- On the menu bar, clickSettings > Authentication.
- ClickAdd Authenticator.
- In theAuthenticator Typedrop-down list, select one of the following authenticators:ItemDescriptionEntra(SAML)Select this option if you want users to enter theirEntracredentials in the primary sign-in page and enable IDP-initiated access to theCylanceconsole.For a walkthrough of the steps to configure yourEntra(SAML), see the following:
- Configure a newEntra(SAML): Configure theEntra(SAML) Authenticator for enhanced authentication
- EnableEntra-initiated access for an existingEntra(SAML): Update theEntra(SAML) authenticator to enable IDP-initiated access to theCylanceconsole
The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.Do the following:- Enter a name for the authenticator.
- If you want users to validate their email with a one-time code when they log in for the first time, turn onValidation required. The code is sent to the email address that is associated with the user in your tenant.
- In theLogin request URLfield, enter the Login URL that is specified in the app registration single sign-on settings for your identity provider. For example, in theEntraPortal, go to Enterprise Application > <Name of the newly created application> > Setting upapplication namesection > Login URL.
- In theIDP signing certificatefield, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
- In theSP entity IDfield, enter theIdentifier (Entity ID)that you recorded from the SAML configuration in theEntraportal. This field is required. The "SP Entity ID" value must match the “Identifier (Entity ID)” value that you recorded in the IDP console.
- EnableShow Advancedsettings, in theEmail claimfield, paste the value from the “Claim Name” that you recorded in theEntraportal (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
- Specify any other optional settings.
- ClickSave.
- Open the authenticator that you added. Record theSSO callback URL. This URL will be required in theEntraportal > Basic SAML Configuration > Reply URL (Assertion Consumer URL) field.
Custom (SAML)Select this option if you want users to enter custom credentials in the primary sign-in page and enable IDP-initiated access to theCylanceconsole.For a walkthrough of the steps to configure your Custom (SAML), see the following:- Configure a new Custom (SAML): Configure the Custom (SAML) Authenticator for enhanced authentication
- Enable Custom-initiated access for an existing Custom (SAML): Update the Custom (SAML) authenticator to enable IDP-initiated access to theCylanceconsole
The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.- Enter a name for the authenticator.
- If you want users to validate their email with a one-time code when they log in for the first time, turn onValidation required.
- In theLogin request URLfield, enter the identity provider's single sign-on URL.
- In theIDP signing certificatefield, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
- In theSP Entity IDfield, enter the “Audience URI (SP Entity ID)” that you recorded in the custom IDP portal. This field is required. The "SP Entity ID" value must match the “Audience URI (SP Entity ID)” value that you recorded in the IDP console.
- In theName ID formatfield, specify the name identifier format to request from the IDP (for example, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
- In theEmail claimfield, typeNameID. This value must match the “NameID Format” that you specified in the IDP console. The Email address ensures the correct user is signing in to the management console.
- Specify any other optional settings.
- ClickSave.
- Open the authenticator that you added. Record theSingle Sign On URL. This URL will be added to the custom IDP.
Cylance Administrator PasswordSelect this option if you want users to enter theirCylanceconsole credentials. Do the following:- Enter a name for the authenticator.
- ClickSave.
Deny AuthenticationSelect this option if you want to use an authentication policy to prevent users or groups of users from accessing theCylanceconsole or another service. You can add another policy or an app exception to allow access to a subset of users.- Enter a name for the authenticator.
- ClickSave.
DuoMFA(Deprecated)Duohas ended support for their TraditionalDuoPrompt. For more information, see theDuoknowledge base. If this authenticator has been added, it will be visible in the console as read only. To addDuomulti-factor authentication, seeDuoUniversal MFA, below.Select this option if you want users to authenticate usingDuomulti-factor authentication.Before you addDuoas an authenticator, you should create an Auth API application. For instructions, see the information fromDuo.Do the following:- Enter a name for the authenticator.
- In theDUO MFA Configurationsection, enter the API hostname, Integration key, and Secret key. You can find this information on the Applications tab in your organization'sDuoaccount. For more information, see the Duo documentation.
DuoUniversal MFASelect this option if you want users to authenticate usingDuomulti-factor authentication.Before you addDuoas an authenticator, you must create a Web SDK application. For instructions, see theDuodocumentation.Do the following:- Enter a name for the authenticator.
- In theDUO Universal MFA Configurationsection, enter the API hostname, Client ID, and Client Secret. You can find this information on the Applications tab in your organization'sDuoaccount. For more information, see theDuodocumentation.
EnterpriseSelect this option if you want users to authenticate using their credentials forActive Directory, LDAP, or. The credentials that a user will use depends on the account type that is the source for their user account in the console. Do the following:myAccount- Enter a name for the authenticator.
- ClickSave.
FIDOSelect this option if you want users to register aFIDO2device and use it verify their identity. Supported device types include smartphones, USB security keys, orWindows Hello.- Enter a name for the authenticator.
- ClickSave.
WhenFIDOis the first factor of authentication and a user registers a device for the first time, a one-time password is also sent to the email address that they use to sign in. WhenFIDOis used as a second factor in a policy, a one-time password isn’t required when a user registers a device for the first time.For information about how to remove registered devices from a user account, see Remove a registeredFIDOdevice for a user account in the Administration content.Integrated Directory (Active Directory/Entra ID/LDAP)Select this option if you want users to enter theirActive Directorypassword. If you select this option, yourCylance Endpoint Securitytenant must have a connection to the company directory instance. For more information, see Linking to your company directory. Do the following:- Enter a name for the authenticator.
- ClickSave.
IP AddressSelect this option if you want to restrict users’ access based on their IP address. You can create multiple IP address authenticators and use them to manage access for different groups, but you can only assign one IP address authenticator in a policy.For a walkthrough of the steps to add or remove IP Address restrictions for the console, see Add an IP Address restriction authenticator for the Cylance console.- Enter a name for the authenticator.
- In theIP address rangesfield, specify one or more IP addresses, IP ranges, or CIDRs. Separate entries with a comma. For example, IP range: 192.168.0.100-192.168.1.255 or CIDR: 192.168.0.10/24.
- ClickSave.
Local AccountSelect this option if you want users to enter theirBlackBerry Online Account() credentials. Do the following:myAccount- Enter a name for the authenticator.
- ClickSave.
OktaMFASelect this option if you want users to authenticate usingOkta. Do the following:- Enter a name for the authenticator.
- In theOkta MFA Configurationsection, enter the Auth API Key and the Auth Domain.
- ClickSave.
Okta(OIDC)Select this option if you want users to authenticate usingOkta. Do the following:- In the drop-down list belowOkta, selectOIDC.
- Enter a name for the authenticator.
- In theIdentity Provider Clientsection, enter the OIDC discovery document URL, the Client ID, and the Private key JWKS.
- ClickSave.
Okta(SAML)Select this option if you want users to enter theirOktacredentials in the primary sign-in page and enable IDP-initiated access to theCylanceconsole.For a walkthrough of the steps to configure yourOkta(SAML), see the following:- Configure a newOkta(SAML): Configure theOkta(SAML) Authenticator for Enhanced Authentication
- EnableOkta-initiated access for an existingOkta(SAML): Update theOkta(SAML) authenticator to enable IDP-initiated access to theCylanceconsole
The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.- In the drop-down list belowOkta, selectSAML.
- Enter a name for the authenticator.
- If you want users to validate their email with a one-time code when they log in for the first time, turn onValidation required.
- In theLogin request URLfield, enter the identity provider's single sign-on URL.
- In theIDP signing certificatefield, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
- In theSP Entity IDfield, enter the “Audience URI (SP Entity ID)” that you recorded in theOktaportal. This field is required. The "SP Entity ID" value must match the “Audience URI (SP Entity ID)” value that you recorded in the IDP console.
- In theIDP entity IDfield, paste the "IdentityProvider Issuer" that you recorded fromOkta.
- In theName ID formatfield, select the NameID format that you specified in theOkta(for example, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
- In theEmail Claimfield, typeEmail. This must match the “Attribute” name that you configured in the Okta console. The Email address ensures the correct user is signing in to the management console.
- Specify any other optional settings.
- ClickSave.
- Open the Authenticator that you added. Record the Single Sign On URL. This URL will be added to the following fields in theOktaconsole > SAML Settings screen.
- Single Sign On URL
- Requestable SSO URLs
OneLogin(OIDC)Select this option if you want users to authenticate usingOneLogin. Do the following:- In the drop-down list belowOneLogin, selectOIDC.
- Enter a name for the authenticator.
- If you want users to validate their email with a one-time code when they log in for the first time, turn onValidation required.
- In theOneLogin Configurationsection, enter the OIDC discovery document URL, the Client ID, Client Secret, and Authentication Method.
- ClickSave.
OneLogin(SAML)Select this option if you want users to enter theirOneLogincredentials in the primary sign-in page and enable IDP-initiated access to theCylanceconsole.For a walkthrough of the steps to configure yourOneLogin(SAML), see the following:- Configure a newOneLogin(SAML): Configure theOneLogin(SAML) Authenticator for enhanced authentication
- EnableOneLogin-initiated access for an existingOneLogin(SAML): Update theOneLogin(SAML) authenticator to enable IDP-initiated access to theCylanceconsole
The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.- Enter a name for the authenticator.
- If you want users to validate their email with a one-time code when they log in for the first time, turn onValidation required.
- In theLogin request URLfield, enter the identity provider's single sign-on URL.
- In theIDP signing certificatefield, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
- In theSP Entity IDfield, enter the “Identifier (Entity ID)” that you recorded in the OneLogin console. This field is required. The "SP Entity ID" value must match the “Identifier (Entity ID)” value that you recorded in the IDP console.
- Specify any other optional settings.
- ClickSave.
- Open the Authenticator that you added. Record the Single Sign On URL. This URL will be added to the following fields in the OneLogin console:
- ACS (Consumer) URL Validator*
- ACS (Consume) URL*
- Single Logout URL
One-Time PasswordSelect this option if you want users to enter a one-time password in addition to another type of authentication.If you select this option, you must also add another authenticator to your authentication policy and rank it higher than the one-time password.For a walkthrough of the steps to add and remove one-time password authentication for administrators, see the following:Do the following:- Enter a name for the authenticator.
- In theOne-Time Password Configurationsection, in the first drop-down list, select a number of intervals in the drop-down list. Any code within the window is valid if it precedes or follows the expected code by the number of refresh intervals that you specify. The refresh interval is 30 seconds, and the default setting is 1.
- In theOne-Time Password Configurationsection, in the second drop-down list, specify the number of times that users can skip the OTP app setup and authenticate without entering a code.
Ping Identity(OIDC)Select this option if you want users to authenticate usingPing Identity.Do the following:- In the drop-down list belowPing, selectOIDC.
- Enter a name for the authenticator.
- In theIdentity Provider Clientsection, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
- In theID token signing algorithmdrop-down list, select a signing algorithm.
- ClickSave.
Ping Identity(SAML)Select this option if you want users to enter theirPing Identitycredentials in the primary sign-in page and enable IDP-initiated access to theCylanceconsole.For a walkthrough of the steps to configure yourPing Identity(SAML), see the following:- Configure a newPing Identity(SAML): Configure thePing Identity(SAML) Authenticator for enhanced authentication
- EnablePing Identity-initiated access for an existingOneLogin(SAML): Update thePing Identity(SAML) authenticator to enable IDP-initiated access to theCylanceconsole
The SSO Callback URL is generated when you add the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.- In the drop-down list belowPing Identity, selectSAML.
- Enter a name for the authenticator.
- If you want users to validate their email with a one-time code when they log in for the first time, turn onValidation required.
- In theLogin request URLfield, enter the identity provider's single sign-on URL.
- In theIDP signing certificatefield, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
- In theSP Entity IDfield, enter the “Entity ID” that you recorded in the PingOne console. This field is required. The "SP Entity ID" value must match the “Entity ID” value that you recorded in the IDP console.
- Specify any other optional settings.
- ClickSave.
- Open the Authenticator that you added. Record theSingle Sign OnURL. This URL will be required in the following PingOne console, Configuration screen fields:
- Assertion Consumer Service (ACS)
- Application URL
- ClickSave.