Enterprise SSO
Single sign-on (SSO) enables you to integrate Secureworks® Taegis™ XDR access with a localized corporate authentication system, termed a connection in XDR.
With SSO enabled, XDR users utilize their corporate authentication credentials when accessing XDR, which means if you are logged in to your corporate network, you no longer need a separate password or MFA to log in to XDR.
Important
Users still require a user account to be created in XDR including an applicable role with the same email address used in your corporate authentication system. The email address is what allows the synchronization between the authentication systems on a per-user basis.
Enabling SSO provides the following benefits:
- XDR adheres to your password and MFA standards
- No need for a separate MFA system or remembering an additional password
- User admin is centralized to your corporate authentication system as this is linked to XDR
- Once your session times out and you need to log back in, there is no need for password and MFA entry to reaccess the system
Prerequisites ⫘
Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authentication and authorization identities between security domains.
Your authentication system must be compatible with the SAML2.0 authentication protocol to set up an integration with XDR.
Enterprise SSO Overview ⫘
Important
If you have been supplied XDR through a Partner (MSSP) organization, please confirm with your Partner that SSO integration is supported before continuing.
Tenant Administrators can manage SSO connections via the Enterprise SSO page. To access this page, select Tenant Settings → Enterprise SSO from the Taegis Menu.
Note
Enterprise SSO is only configurable by users with the Tenant Admin role.
XDR SSO
Current SSO connections display as summary cards with the number of domains, expiration date of the signing certificate, and one of the following statuses of the connection below the name:
-
Enabled — All users whose email login credentials match the domains specified in the SSO configuration will access XDR using SSO.
-
Disabled — The SSO connection is not active for any users with email addresses matching the configured domains. Only disabled connections can be deleted.
- Draft — A connection is moved into Draft status if the configuration is incomplete. This may happen if an update is applied and the system reboots, if there are issues on the browser, etc.
Select a summary card to review the connection details, change the status, edit details, or delete the connection.
You can also change the status or delete the connection by selecting the menu icon from the bottom-right corner of a card on the Enterprise SSO page.
Add New SSO Connection ⫘
Tenant Administrators can configure up to six SSO connections per tenant. Specified domains must be unique per connection and not span across connections.
To set up a new connection, follow these steps:
- From the Taegis Menu, select Tenant Settings → Enterprise SSO.
- Select + Add Connection. The Add a New Connection panel displays. Use the guidance within each of the following sections to complete configuration.
Add a New SSO Connection
General Settings ⫘
Provide the following information in General Settings:
- Display Name — Enter a descriptive name for the connection to easily identify it for audit and in case you configure multiple.
- Email Domains — Enter all domains for approved email addresses separated by a comma; e.g.,
company.com, companytemp.com, company123.com
.
Once these details have been provided, select Create Draft Connection & Continue.
Service Provider Settings ⫘
Within the SSO configuration, XDR is defined as the Service Provider while your authentication system (Active Directory, PingFederate, Okta, etc.) is defined as the Identity Provider.
Service Provider Settings
The Entity ID and Service URL in Service Provider Settings can be copied by selecting the copy icon to the left of these items. These are required when defining a connection within your corporate identity provider.
Once these details have been gathered, select Next,
Identity Provider Settings ⫘
At this stage, you will be required to complete the configuration of your corporate identity provider connection.
Important
SAML Attributes ⫘
The identity provider needs to be set up to return the user's email address in the SAML assertion, and this setup will differ depending on the provider. The SAML attribute for the email address should be named http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
, with the value set to the user's email address.
Additionally, the identity provider should confirm that the email is verified by including another attribute, email_verified = true
, as a string.
XDR will require information from the identification provider to complete the connection to your Tenant. Any user requiring access to XDR still needs an account created within XDR, but password and MFA authentication procedures will be taken from your corporate authentication system, such as Okta or Active Directory.
Identity Provider Settings
-
In Identity Provider Settings, supply the SAML Metadata XML URL from your Identity Provider and select Verify.
-
Once Verify has been selected, the signing certificate will be displayed. This should be checked against your identity provider information to confirm that the correct details have been captured as a part of the connection. If the details do not appear as expected, check the metadata url for any errors.
-
Select Next once verified to review the connection.
Review Connection ⫘
In Review Connection, confirm that the summarized information is correct, and select Save Connection.
Review Connection
The new connection now appears as a summary card on the Enterprise SSO page in a Disabled status.
Test and Confirm SSO Connection ⫘
After you have completed the steps to add a new SSO connection, select the summary card for the connection from Tenant Settings → Enterprise SSO. Select Test from the bottom of the connection details to confirm the configuration settings are operational. If there are any errors reported, reapply the settings and retest until successful.
Review Connection
After you have successfully tested the connection, change the connection status to Enabled so all users within the specified domain(s) are subject to SSO.
Note
Identity provider initiated logins are not supported. All logins must be initiated from XDR.
Change Connection Status ⫘
To change the status of a connection, from the Enterprise SSO page:
- Select the menu icon from the lower-right corner of a connection summary card and choose Change Status, or select a summary card to view the connection details and choose Change Status from the right of the page.
Note
Any connection in Draft status must be updated by selecting the summary card rather than the menu icon.
- Select the desired connection status.
- Choose Save.
Change Connection Status
Edit Connection Details ⫘
To edit the details of a connection, from the Enterprise SSO page:
- Select a summary card to view the connection details.
- Choose Edit from the General Settings or Identity Provider Settings.
Edit Connection Details
- Make the desired changes and select Save.
Delete Connection ⫘
Note
Connections must be changed to a Disabled status before they can be deleted.
To delete a connection, from the Enterprise SSO page:
- Select the menu icon from the lower-right corner of a connection summary card and choose Delete, or select a summary card to view the connection details and choose Delete.
- Type the word
delete
to confirm this action is required and then choose Confirm Delete.
Delete Connection
- Returning to the Enterprise SSO page, verify the connection is removed.
Knowledge Base Resource ⫘
Find guidance for configuring Enterprise SSO with Azure AD in this Knowledge Base article.