Considerations for adding SAML authenticators
When you add a SAML authenticator, the login request URL and IDP signing certificate values are required. You should note the following considerations for optional fields.
When you configure an external identity provider, you must add the Cylance Endpoint Security login request URL. The URL must be in the format of https://login.eid.blackberry.com/_/resume/saml20/<
hash
>. Because external SAML configurations support a list of single sign-on or assertion consumer service reply URLs, in existing configurations, you can add the new or newly generated URL to the list as a secondary option or replace the original. If you created your authenticator before December 2023, and you want users to access the Cylance console using single sign-on, you must generate an updated login request URL. For more information on updating your authenticator, see Considerations for adding SAML authenticators.Item | Description |
---|---|
NameID format | You can use this field to specify an optional name identifier format to request from the identity provider. |
Federated ID claim | You can use this field to specify an optional claim value that is used as your federated ID to link accounts across systems. The default value is NameID. If your IDP is setup to return the email address in a claim other than “NameID”, you must specify the claim in this field. You should use a unique, immutable, and persistent value in this claim (for example, an objectGUID or UUID). Using a value that is not unique or susceptible to change like an email address is not recommended. When users log in, Cylance Endpoint Security will use the value in the Federated ID claim to create a unique ID for the user to map their identities in both systems.After you specify the value to use as the federated ID claim it cannot be changed because it is used to link a user in the external identity provider and Cylance Endpoint Security after they log in for the first time. |
Active Directory claim | You can use this field to specify an optional claim value that is used to match Active Directory objectGUIDs across systems to validate users. |
Email claim | You can use this field to specify an optional claim value that is used to match email addresses across systems. The default value is 'email'. Cylance Endpoint Security requires that all SAML responses must contain the users full email address, and it must match the email address that is registered with Cylance Endpoint Security . If your IDP is setup to return the email address in a claim other than “email”, you must specify the claim in this field. For example, if the claim configured in your IDP is called “emailAddress”, then you must set “emailAddress” in the Email Claim field. If these do not match, users cannot sign in. |
SP entity ID | You can use this field to specify an optional service provider entity ID to send to the identity provider (also known as the issuer string). For Entra SAML authenticators this field is required, and the value that you enter must match the Identifier (Entity ID) in the SAML configuration in Entra . |
IDP entity ID | You can use this field to specify an optional identity provider entity ID (also known as the IDP Issuer). If provided, the IDP issuer will be validated on all responses. |
Accepted clock drift | You can use this field to specify, in milliseconds, the acceptable clock drift between client and server. |
Signature algorithm | You can use this field to specify the signature algorithm for signing requests. |
Signature private key | You can use this field to specify, in PEM format, an optional private key that is used to sign all outgoing requests. |