Skip Navigation

Add an authenticator

You add authenticators so that you can add them to authentication policies. An authenticator typically defines one authentication method, such as a password (for example, a
Cylance
console password) or a connection to a third-party for authentication like
Active Directory
,
Okta
, or
Ping Identity
. You add them to authentication policies to specify the types of authentication that administrators must complete to sign in to the
Cylance
console and users must complete to activate
Cylance Endpoint Security
apps or agents (for example, the
CylancePROTECT Mobile
app or
CylanceGATEWAY
). You can combine multiple authenticators in an authentication policy to provide multiple authentication steps. For example, you can combine the Enterprise authenticator with a one-time password prompt in a policy to require users to authenticate with both their work or
Cylance
console password and a one-time password.
  1. On the menu bar, click
    Settings > Authentication
    .
  2. Click
    Add Authenticator
    .
  3. In the
    Authenticator Type
    drop-down list, select one of the following authenticators:
    Item
    Description
    Entra
    (SAML)
    Select this option if you want users to enter their
    Entra
    credentials in the primary sign-in page and enable IDP-initiated access to the
    Cylance
    console.
    For a walkthrough of the steps to configure your
    Entra
    (SAML), see the following:
    The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<
    hash
    >.
    Do the following:
    1. Enter a name for the authenticator.
    2. If you want users to validate their email with a one-time code when they log in for the first time, turn on
      Validation required
      . The code is sent to the email address that is associated with the user in your tenant.
    3. In the
      Login request URL
      field, enter the Login URL that is specified in the app registration single sign-on settings for your identity provider. For example, in the
      Entra
      Portal, go to Enterprise Application > <
      Name of the newly created application
      > > Setting up
      application name
      section > Login URL.
    4. In the
      IDP signing certificate
      field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.
      When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
    5. In the
      SP entity ID
      field, enter the
      Identifier (Entity ID)
      that you recorded from the SAML configuration in the
      Entra
      portal. This field is required. The "SP Entity ID" value must match the “Identifier (Entity ID)” value that you recorded in the IDP console.
    6. Enable
      Show Advanced
      settings, in the
      Email claim
      field, paste the value from the “Claim Name” that you recorded in the
      Entra
      portal (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
    7. Specify any other optional settings.
    8. Click
      Save
      .
    9. Open the authenticator that you added. Record the
      SSO callback URL
      . This URL will be required in the
      Entra
      portal > Basic SAML Configuration > Reply URL (Assertion Consumer URL) field.
    Custom (SAML)
    Select this option if you want users to enter custom credentials in the primary sign-in page and enable IDP-initiated access to the
    Cylance
    console.
    For a walkthrough of the steps to configure your Custom (SAML), see the following:
    The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<
    hash
    >.
    1. Enter a name for the authenticator.
    2. If you want users to validate their email with a one-time code when they log in for the first time, turn on
      Validation required
      .
    3. In the
      Login request URL
      field, enter the identity provider's single sign-on URL.
    4. In the
      IDP signing certificate
      field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.
      When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
    5. In the
      SP Entity ID
      field, enter the “Audience URI (SP Entity ID)” that you recorded in the custom IDP portal. This field is required. The "SP Entity ID" value must match the “Audience URI (SP Entity ID)” value that you recorded in the IDP console.
    6. In the
      Name ID format
      field, specify the name identifier format to request from the IDP (for example, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
    7. In the
      Email claim
      field, type
      NameID
      . This value must match the “NameID Format” that you specified in the IDP console. The Email address ensures the correct user is signing in to the management console.
    8. Specify any other optional settings.
    9. Click
      Save
      .
    10. Open the authenticator that you added. Record the
      Single Sign On URL
      . This URL will be added to the custom IDP.
    Cylance Administrator Password
    Select this option if you want users to enter their
    Cylance
    console credentials. Do the following:
    1. Enter a name for the authenticator.
    2. Click
      Save
      .
    Deny Authentication
    Select this option if you want to use an authentication policy to prevent users or groups of users from accessing the
    Cylance
    console or another service. You can add another policy or an app exception to allow access to a subset of users.
    1. Enter a name for the authenticator.
    2. Click
      Save
      .
    Duo
    MFA
    (Deprecated)
    Duo
    has ended support for their Traditional
    Duo
    Prompt. For more information, see the
    Duo
    knowledge base
    . If this authenticator has been added, it will be visible in the console as read only. To add
    Duo
    multi-factor authentication, see
    Duo
    Universal MFA, below.
    Select this option if you want users to authenticate using
    Duo
    multi-factor authentication.
    Before you add
    Duo
    as an authenticator, you should create an Auth API application. For instructions, see the information from
    Duo
    .
    Do the following:
    1. Enter a name for the authenticator.
    2. In the
      DUO MFA Configuration
      section, enter the API hostname, Integration key, and Secret key. You can find this information on the Applications tab in your organization's
      Duo
      account. For more information, see the Duo documentation.
    Duo
    Universal MFA
    Select this option if you want users to authenticate using
    Duo
    multi-factor authentication.
    Before you add
    Duo
    as an authenticator, you must create a Web SDK application. For instructions, see the
    Duo
    documentation
    .
    Do the following:
    1. Enter a name for the authenticator.
    2. In the
      DUO Universal MFA Configuration
      section, enter the API hostname, Client ID, and Client Secret. You can find this information on the Applications tab in your organization's
      Duo
      account. For more information, see the
      Duo
      documentation
      .
    Enterprise
    Select this option if you want users to authenticate using their credentials for
    Active Directory
    , LDAP, or 
    my
    Account
    . The credentials that a user will use depends on the account type that is the source for their user account in the console. Do the following:
    1. Enter a name for the authenticator.
    2. Click
      Save
      .
    FIDO
    Select this option if you want users to register a
    FIDO2
    device and use it verify their identity. Supported device types include smartphones, USB security keys, or
    Windows Hello
    1. Enter a name for the authenticator.
    2. Click
      Save
      .
    When
    FIDO
    is the first factor of authentication and a user registers a device for the first time, a one-time password is also sent to the email address that they use to sign in. When
    FIDO
    is used as a second factor in a policy, a one-time password isn’t required when a user registers a device for the first time.
    For information about how to remove registered devices from a user account, see Remove a registered
    FIDO
    device for a user account
    in the Administration content.
    Integrated Directory (
    Active Directory
    /
    Entra ID
    /LDAP)
    Select this option if you want users to enter their
    Active Directory
    password. If you select this option, your
    Cylance Endpoint Security
    tenant must have a connection to the company directory instance. For more information, see Linking to your company directory. Do the following:
    1. Enter a name for the authenticator.
    2. Click
      Save
      .
    IP Address
    Select this option if you want to restrict users’ access based on their IP address. You can create multiple IP address authenticators and use them to manage access for different groups, but you can only assign one IP address authenticator in a policy.
    For a walkthrough of the steps to add or remove IP Address restrictions for the console, see Add an IP Address restriction authenticator for the Cylance console.
    1. Enter a name for the authenticator.
    2. In the
      IP address ranges
      field, specify one or more IP addresses, IP ranges, or CIDRs. Separate entries with a comma. For example, IP range: 192.168.0.100-192.168.1.255 or CIDR: 192.168.0.10/24.
    3. Click
      Save
      .
    Local Account
    Select this option if you want users to enter their
    BlackBerry Online Account
    (
    my
    Account
    ) credentials. Do the following:
    1. Enter a name for the authenticator.
    2. Click
      Save
      .
    Okta
    MFA
    Select this option if you want users to authenticate using
    Okta
    . Do the following:
    1. Enter a name for the authenticator.
    2. In the
      Okta MFA Configuration
      section, enter the Auth API Key and the Auth Domain.
    3. Click
      Save
      .
    Okta
    (OIDC)
    Select this option if you want users to authenticate using
    Okta
    . Do the following:
    1. In the drop-down list below
      Okta
      , select
      OIDC
      .
    2. Enter a name for the authenticator.
    3. In the
      Identity Provider Client
      section, enter the OIDC discovery document URL, the Client ID, and the Private key JWKS.
    4. Click
      Save
      .
    Okta
    (SAML)
    Select this option if you want users to enter their
    Okta
    credentials in the primary sign-in page and enable IDP-initiated access to the
    Cylance
    console.
    For a walkthrough of the steps to configure your
    Okta
    (SAML), see the following:
    The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<
    hash
    >.
    1. In the drop-down list below
      Okta
      , select
      SAML
      .
    2. Enter a name for the authenticator.
    3. If you want users to validate their email with a one-time code when they log in for the first time, turn on
      Validation required
      .
    4. In the
      Login request URL
      field, enter the identity provider's single sign-on URL.
    5. In the
      IDP signing certificate
      field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.
      When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
    6. In the
      SP Entity ID
      field, enter the “Audience URI (SP Entity ID)” that you recorded in the
      Okta
      portal. This field is required. The "SP Entity ID" value must match the “Audience URI (SP Entity ID)” value that you recorded in the IDP console.
    7. In the
      IDP entity ID
      field, paste the "IdentityProvider Issuer" that you recorded from
      Okta
      .
    8. In the
      Name ID format
      field, select the NameID format that you specified in the
      Okta
      (for example, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
    9. In the
      Email Claim
      field, type
      Email
      . This must match the “Attribute” name that you configured in the Okta console. The Email address ensures the correct user is signing in to the management console.
    10. Specify any other optional settings.
    11. Click
      Save
      .
    12. Open the Authenticator that you added. Record the Single Sign On URL. This URL will be added to the following fields in the
      Okta
      console > SAML Settings screen.
      • Single Sign On URL
      • Requestable SSO URLs
    OneLogin
    (OIDC)
    Select this option if you want users to authenticate using
    OneLogin
    . Do the following:
    1. In the drop-down list below
      OneLogin
      , select
      OIDC
      .
    2. Enter a name for the authenticator.
    3. If you want users to validate their email with a one-time code when they log in for the first time, turn on
      Validation required
      .
    4. In the
      OneLogin Configuration
      section, enter the OIDC discovery document URL, the Client ID, Client Secret, and Authentication Method.
    5. Click
      Save
      .
    OneLogin
    (SAML)
    Select this option if you want users to enter their
    OneLogin
    credentials in the primary sign-in page and enable IDP-initiated access to the
    Cylance
    console.
    For a walkthrough of the steps to configure your
    OneLogin
    (SAML), see the following:
    The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<
    hash
    >.
    1. Enter a name for the authenticator.
    2. If you want users to validate their email with a one-time code when they log in for the first time, turn on
      Validation required
      .
    3. In the
      Login request URL
      field, enter the identity provider's single sign-on URL.
    4. In the
      IDP signing certificate
      field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.
      When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
    5. In the
      SP Entity ID
      field, enter the “Identifier (Entity ID)” that you recorded in the OneLogin console. This field is required. The "SP Entity ID" value must match the “Identifier (Entity ID)” value that you recorded in the IDP console.
    6. Specify any other optional settings.
    7. Click
      Save
      .
    8. Open the Authenticator that you added. Record the Single Sign On URL. This URL will be added to the following fields in the OneLogin console:
      • ACS (Consumer) URL Validator*
      • ACS (Consume) URL*
      • Single Logout URL
    One-Time Password
    Select this option if you want users to enter a one-time password in addition to another type of authentication.
    If you select this option, you must also add another authenticator to your authentication policy and rank it higher than the one-time password.
    For a walkthrough of the steps to add and remove one-time password authentication for administrators, see the following:
    Do the following:
    1. Enter a name for the authenticator.
    2. In the
      One-Time Password Configuration
      section, in the first drop-down list, select a number of intervals in the drop-down list. Any code within the window is valid if it precedes or follows the expected code by the number of refresh intervals that you specify. The refresh interval is 30 seconds, and the default setting is 1.
    3. In the
      One-Time Password Configuration
      section, in the second drop-down list, specify the number of times that users can skip the OTP app setup and authenticate without entering a code.
    Ping Identity
    (OIDC)
    Select this option if you want users to authenticate using
    Ping Identity
    .Do the following:
    1. In the drop-down list below
      Ping
      , select
      OIDC
      .
    2. Enter a name for the authenticator.
    3. In the
      Identity Provider Client
      section, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
    4. In the
      ID token signing algorithm
      drop-down list, select a signing algorithm.
    5. Click
      Save
      .
    Ping Identity
    (SAML)
    Select this option if you want users to enter their
    Ping Identity
    credentials in the primary sign-in page and enable IDP-initiated access to the
    Cylance
    console.
    For a walkthrough of the steps to configure your
    Ping Identity
    (SAML), see the following:
    The SSO Callback URL is generated when you add the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<
    hash
    >.
    1. In the drop-down list below
      Ping Identity
      , select
      SAML
      .
    2. Enter a name for the authenticator.
    3. If you want users to validate their email with a one-time code when they log in for the first time, turn on
      Validation required
      .
    4. In the
      Login request URL
      field, enter the identity provider's single sign-on URL.
    5. In the
      IDP signing certificate
      field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.
      When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
    6. In the
      SP Entity ID
      field, enter the “Entity ID” that you recorded in the PingOne console. This field is required. The "SP Entity ID" value must match the “Entity ID” value that you recorded in the IDP console.
    7. Specify any other optional settings.
    8. Click
      Save
      .
    9. Open the Authenticator that you added. Record the
      Single Sign On
      URL. This URL will be required in the following PingOne console, Configuration screen fields:
      • Assertion Consumer Service (ACS)
      • Application URL
  4. Click
    Save
    .