Migrate custom authentication settings to the authenticators list
You can migrate your existing SAML authenticators to the authenticators list in Settings so that you add them to authentication policies for users and groups or your tenant. When you migrate the authenticators, you must update the single sign-on URL to the URL used by
Cylance Endpoint Security
. You must also update the NameID claim in your external IDP configuration so that it returns a persistent, immutable value instead of a user's email address or create a claim in the identity provider that can be used as the Federated ID claim.Before you migrate your settings, as a failsafe, you should create one authentication policy that requires only the
Cylance
console password and assign it to one administrator.When you migrate the custom authentication settings, in the external identity provider, you must add the following Cylance Endpoint Security login request URL:
https://idp.blackberry.com/_/resume
. Because external SAML configurations support a list of single sign-on or assertion consumer service reply URLs, in existing configurations, you can add the new URL to the list as a secondary option or replace the original. For more information about SAML authenticators, see Considerations for adding SAML authenticators.
Download a copy of the signing certificate for your IDP.
- In the management console, on the menu bar, clickSettings>Application.
- In theCustom authenticationsection, complete the following:
- Copy the following information to a text file:
- Provider name
- Login URL
- Select theAllow Password Logincheckbox. For more information about this setting, see Custom authentication descriptions.
- On the menu bar, clickSettings>Authentication.
- On theAuthenticatorstab, clickAdd authenticator.
- In theAuthenticator Typedrop-down list, click the SAML authenticator that corresponds to the provider you copied in step 2 (for example,EntraorOkta) or click Custom SAML.
- In theGeneral Informationsection, enter a name for the authenticator.
- In theSAML Configurationsection, if you want to require users to validate their email with a one-time code when they log in for the first time, turn onValidation required.
- In theLogin request URLfield, enter the single sign-on URL for the identity provider.
- In theIDP signing certificatefield, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.
- Do one of the following:TaskStepsUpdate the NameID and email claim values in the external identity provider.
- Sign in to your external identity provider.
- Update the single sign-on URL forCylance Endpoint Securitytohttps://idp.blackberry.com/_/resume. You can add this URL to the existing login.<region>.cylance.com URL.
- Edit the NameID claim so that it returns a persistent, immutable value (for example, objectGUID or a UUID) that can be used in the Federated ID claim instead of the user's email address. For instructions, see the documentation from the identity provider.
- Create a new email claim that will return the user's email address.
Create a new claim in your external identity provider and add it to the authenticator settings.- Sign in to your external identity provider.
- Update the single sign-on URL forCylance Endpoint Securitytohttps://idp.blackberry.com/_/resume. You can add this URL to the existing login.<region>.cylance.com URL.
- Create a new claim that returns a persistent, immutable ID for a user. For instructions, see the documentation from the identity provider.
- In theCylancemanagement console, in theEmail claimfield, enternameID. The nameID value must use a lowercase "n."
- In theFederated ID claimfield, enter the name of the new claim that you created in the external identity provider.
- ClickSave.
- If you encounter issues logging in using the SAML authenticator in an authentication policy, you can download a sample SAML response from your IDP and validate the claim names.