🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Enterprise SSO

Single sign-on (SSO) enables you to integrate Taegis™ XDR access with a localized corporate authentication system, termed a connection in XDR.

With SSO enabled, XDR users utilize their corporate authentication credentials when accessing XDR, which means if you are logged in to your corporate network, you no longer need a separate password or MFA to log in to XDR.

Important

Users still require a user account to be created in XDR including an applicable role with the same email address used in your corporate authentication system. The email address is what allows the synchronization between the authentication systems on a per-user basis.

Enabling SSO provides the following benefits:

Prerequisites

Security Assertion Markup Language 2.0 is a version of the SAML standard for exchanging authentication and authorization identities between security domains.

Your authentication system must be compatible with the SAML2.0 authentication protocol to set up an integration with XDR.

Enterprise SSO Overview

Important

If you have been supplied XDR through a Partner (MSSP) organization, please confirm with your Partner that SSO integration is supported before continuing.

Tenant Administrators can manage SSO connections via the Enterprise SSO page. To access this page, from the Secureworks® Taegis™ XDR left-hand side navigation, select Tenant Settings → Enterprise SSO.

Note

Enterprise SSO is only configurable by users with the Tenant Admin role.

Taegis™ XDR SSO

Taegis™ XDR SSO

Current SSO connections display as summary cards with the number of domains, number of test users, expiration date of the signing certificate, and one of the following statuses of the connection below the name:

Select a summary card to review the connection details, change the status, edit details, or delete the connection. For connections in Draft status, select the summary card to complete the configuration.

You can also change the status or delete the connection by selecting the menu icon from the bottom-right corner of a card on the Enterprise SSO page.

Add New SSO Connection

Tenant Administrators can configure up to six SSO connections per tenant. Specified domains must be unique per connection and not span across connections.

To set up a new connection, follow these steps:

  1. From the Taegis™ XDR left-hand side navigation, select Tenant Settings → Enterprise SSO.
  2. Select + Add Connection. The Add a New Connection panel displays. Use the guidance within each of the following sections to complete configuration.

Add a New SSO Connection

Add a New SSO Connection

General Settings

Provide the following information in General Settings, and then select Create Draft Connection & Continue:

Important

Only Test Users are subject to the SSO rules once the connection is moved into Testing status. Once the connection is moved into Enabled status, all users from the specified Email Domains are subject to the SSO rules.

We recommend you exclude XDR Tenant Admin users from Test Users in case there are issues. This way the Tenant Admin can log in to XDR directly to make any necessary changes to the connection.

Service Provider Settings

Within the SSO configuration, Taegis™ XDR is defined as the Service Provider while your authentication system (Active Directory, PingFederate, Okta, etc.) is defined as the Identity Provider. After defining the SSO connection, Service Provider details will need to be added within your authentication system. Consult the documentation specific to your authentication system for details on how this information should be used.

Service Provider Settings

Service Provider Settings

Copy the Entity ID and Service URL in Service Provider Settings by selecting the copy icon to the left of these items for use in your authentication system as needed, and then select Next.

Identity Provider Settings

Having copied the Service provider details from Taegis™ XDR to your Identity Provider configuration, Taegis™ XDR will require information from the Identification Provider to complete the connection to your Tenant. Any user requiring access to XDR still needs an account created within XDR, but password and MFA authentication procedures will be taken from your corporate authentication system, such as Okta or Active Directory.

Identity Provider Settings

Identity Provider Settings

In Identity Provider Settings, supply the following details from your authentication system to integrate with XDR:

Use one of the following methods to supply these details:

Select Next once complete to review the connection.

Note

SAML Attributes

The identity provider must be configured to return the user’s email address in the SAML assertion. Configuration for this is provider specific. The name of the SAML attribute to return should be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress and the value set to the email address. The email address returned in the SAML assertion must match the email address registered with XDR.

Review Connection

In Review Connection, confirm that all entered information is correct, and then choose Save Connection.

Review Connection

Review Connection

The new connection now appears as a summary card on the Enterprise SSO page in Testing status.

Test and Confirm SSO Connection

After you have completed the steps to add a new SSO connection, select the summary card for the connection from Tenant Settings → Enterprise SSO. Select Test from the bottom of the connection details to confirm the configuration settings are operational. If there are any errors reported, reapply the settings and retest until successful.

Test Connection

Review Connection

We recommend you test the SSO connection for a limited number of test users initially, excluding the XDR Tenant Admin in case changes need to be made to the configuration settings. This way the XDR Tenant Admin can log in directly to make any necessary changes to the connection.

Test the SSO connection is working as expected for the specified Test Users only by ensuring the status of the connection is set to Testing. New connections are created in Testing status automatically, but you can alter the status if needed by following these steps.

Note

In Testing status, only users specified as Test Users are subject to the SSO connection rules.

Test Users should access XDR by entering their email address only. The logon screen removes the password field and in its place displays the following message: Single Sign-on is enabled. You will be redirected to your organization's identity provider to complete login. Choose Continue.

If the user is authenticated on your corporate network already, access is granted. If the user is not authenticated on your corporate network, then XDR will direct the user through the corporate authentication process before access to XDR is granted.

After several users have successfully accessed XDR via SSO, change the connection status to Enabled so all users within the specified domain(s) are subject to SSO.

Note

Identity provider initiated logins are not supported. This includes testing the connection from identity provider configuration panels. All logins must be intiated from XDR.

Change Connection Status

Note

You must complete the configuration for connections in Draft status by selecting the summary card prior to changing the status.

To change the status of a connection, from the Enterprise SSO page:

  1. Select the menu icon from the lower-right corner of a connection summary card and choose Change Status, or select a summary card to view the connection details and choose Change Status from the top right of the page.
  2. Select the status you wish to change the connection to.
  3. Choose Save.

Change Connection Status

Change Connection Status

Edit Connection Details

Note

You must complete the configuration for connections in Draft status by selecting the summary card prior to editing.

To edit the details of a connection, from the Enterprise SSO page:

  1. Select a summary card to view the connection details.
  2. Choose Edit from the General Settings or Identity Provider Settings.

Edit Connection Details

Edit Connection Details

  1. Make the desired changes and select Save.

Delete Connection

Note

Connections must be changed to a Disabled status before they can be deleted.

To delete a connection, from the Enterprise SSO page:

  1. Select the menu icon from the lower-right corner of a connection summary card and choose Delete, or select a summary card to view the connection details and choose Delete.
  2. Type the word delete to confirm this action is required and then choose Confirm Delete.

Delete Connection

Delete Connection

  1. The connection is removed.

Knowledge Base Resource

Find guidance for configuring Enterprise SSO with Azure AD in this Knowledge Base article.

 

On this page: