Considerations for adding SAML authenticators
When you add a SAML authenticator, the login request URL and IDP signing certificate values are required. You should note the following considerations for optional fields.
When you configure an external identity provider, you must add the following Cylance Endpoint Security login request URL:
https://idp.blackberry.com/_/resume. Because external SAML configurations support a list of single sign-on or assertion consumer service reply URLs, in existing configurations, you can add the new URL to the list as a secondary option or replace the original.
You can use this field to specify an optional name identifier format to request from the identity provider.
Federated ID claim
You can use this field to specify an optional claim value that is used as your federated ID to link accounts across systems. The default value is NameID.
If your IDP is setup to return the email address in a claim other than “NameID”, you must specify the claim in this field. You should use a unique, immutable, and persistent value in this claim (for example, an objectGUID or UUID). Using a value that is not unique or susceptible to change like an email address is not recommended. When users log in,
Cylance Endpoint Securitywill use the value in the Federated ID claim to create a unique ID for the user to map their identities in both systems.
After you specify the value to use as the federated ID claim it cannot be changed because it is used to link a user in the external identity provider and
Cylance Endpoint Securityafter they log in for the first time.
Active Directory claim
You can use this field to specify an optional claim value that is used to match Active Directory objectGUIDs across systems to validate users.
You can use this field to specify an optional claim value that is used to match email addresses across systems. The default value is 'email'.
Cylance Endpoint Securityrequires that all SAML responses must contain the users full email address, and it must match the email address that is registered with
Cylance Endpoint Security. If your IDP is setup to return the email address in a claim other than “email”, you must specify the claim in this field. For example, if the claim configured in your IDP is called “emailAddress”, then you must set “emailAddress” in the Email Claim field. If these do not match, users cannot sign in.
SP entity ID
You can use this field to specify an optional service provider entity ID to send to the identity provider (also known as the issuer string).
AzureSAML authenticators this field is required, and the value that you enter must match the Identifier (Entity ID) in the SAML configuration in
IDP entity ID
You can use this field to specify an optional identity provider entity ID (also known as the IDP Issuer). If provided, the IDP issuer will be validated on all responses.
Accepted clock drift
You can use this field to specify, in milliseconds, the acceptable clock drift between client and server.
You can use this field to specify the signature algorithm for signing requests.
Signature private key
You can use this field to specify, in PEM format, an optional private key that is used to sign all outgoing requests.