Add an authenticator

Each authenticator defines one authentication method, such as a password (for example, an Endpoint Defense console password) or a connection to a third-party for authentication like Active Directory, Okta, or Ping Identity. You add them to authentication policies to specify the types of authentication that administrators must complete to sign in to the Endpoint Defense console and users must complete to activate the Aurora Protect Mobile app or Gateway agent. You can combine multiple authenticators in an authentication policy to provide multiple authentication steps. For example, you can combine the Enterprise authenticator with a one-time password prompt in a policy to require users to authenticate with both their work or Endpoint Defense console password and a one-time password.
  • Important: Verify that you have reviewed and completed the appropriate steps for Configure authentication for sign-in to the Endpoint Defense console before you configure your IDP SAML authenticator. If the required steps are not completed, the third-party authenticator will be unable to communicate with Cylance Endpoint Security. For more information, see:
  • If you add a SAML authenticator,
  1. On the menu bar, click Settings > Authentication.
  2. Click Add Authenticator.
  3. In the Authenticator Type list, select one of these actions:
    • Entra (SAML) — Requires users to enter their Entra credentials in the primary sign-in page and enable IDP-initiated access to the Endpoint Defense console. The SSO Callback URL, which has this format https://login.eid.blackberry.com/_/resume/saml20/<hash>, is generated when you save the authenticator.
      Do these actions:
      1. Enter a name for the authenticator.
      2. If you want users to validate their email with a one-time code when they log in for the first time, click the Validation required toggle to the on position.

        The code is sent to the email address that is associated with the user in your tenant.

      3. In the Login request URL field, enter the Login URL that is specified in the app registration single sign-on settings for your identity provider. For example, in the Entra Portal, go to Enterprise Application > <Name of the newly created application> > Setting up application name section > Login URL.
      4. In the IDP signing certificate field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.

        When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.

      5. In the SP entity ID field, enter the Identifier (Entity ID) that you recorded from the SAML configuration in the Entra portal. This field is required. The "SP Entity ID" value must match the "Identifier (Entity ID)" value that you recorded in the IDP console.
      6. Enable Show Advanced settings, and then in the Email claim field, paste the value from the "Claim Name" that you recorded in the Entra portal (for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress).
      7. Specify any other optional settings.
      8. Click Save.
      9. Open the authenticator that you added. Record the SSO callback URL. This URL is required in the Entra portal > Basic SAML Configuration > Reply URL (Assertion Consumer URL) field.
    • Custom (SAML) — Requires users to enter custom credentials in the primary sign-in page and enable IDP-initiated access to the Endpoint Defense console.

      The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.

      Do these actions:

      1. Enter a name for the authenticator.
      2. If you want users to validate their email with a one-time code when they log in for the first time, click the Validation required toggle to the on position.
      3. In the Login request URL field, enter the identity provider's single sign-on URL.
      4. In the IDP signing certificate field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.

        When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.

      5. In the SP Entity ID field, enter the "Audience URI (SP Entity ID)" that you recorded in the custom IDP portal. This field is required. The "SP Entity ID" value must match the "Audience URI (SP Entity ID)" value that you recorded in the IDP console.
      6. In the Name ID format field, specify the name identifier format to request from the IDP. For example, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
      7. In the Email claim field, enter NameID. This value must match the "NameID Format" that you specified in the IDP console. The email address ensures the correct user is signing in to the management console.
      8. Specify any other optional settings.
      9. Click Save.
      10. Open the authenticator that you added. Record the Single Sign On URL. This URL is added to the custom IDP.
    • Aurora Administrator Password — Requires users to enter their Endpoint Defense console credentials.
      Do these actions:
      1. Enter a name for the authenticator.
      2. Click Save.
    • Deny Authentication — Requires an authentication policy to prevent users or groups of users from accessing the Endpoint Defense console or another service. You can add another policy or an app exception to allow access to a subset of users.
      Do these actions:
      1. Enter a name for the authenticator.
      2. Click Save.
    • Duo MFA — Requires users to authenticate using Duo multi-factor authentication.
      Note:

      Duo has ended support for their Traditional Duo Prompt. For more information, see the Duo knowledge base. If this authenticator was added, it is visible in the console as read-only. To add Duo multi-factor authentication, see Duo.

      Before you add Duo as an authenticator, you should create an Auth API application. For instructions, see the information from Duo.

      Do these actions:
      1. Enter a name for the authenticator.
      2. In the DUO MFA Configuration section, enter the API hostname, Integration key, and Secret key. You can find this information on the Applications tab in your organization's Duo account. For more information, see the Duo documentation.
    • Duo MFA Universal — Requires users to authenticate using Duo multi-factor authentication.

      Before you add Duo as an authenticator, you must create a Web SDK application. For instructions, see the Duo documentation.

      Do these actions:
      1. Enter a name for the authenticator.
      2. In the DUO Universal MFA Configuration section, enter the API hostname, Client ID, and Client Secret. You can find this information on the Applications tab in your organization's Duo account. For more information, see the Duo documentation.
    • Enterprise — Requires users to authenticate using their credentials for Active Directory, LDAP, or myAccount. The credentials that a user will use depends on the account type that is the source for their user account in the console.
      Do these actions:
      1. Enter a name for the authenticator.
      2. Click Save.
    • Okta MFA — Requires users to authenticate using Okta.
      Do these actions:
      1. Enter a name for the authenticator.
      2. In the Okta MFA Configuration section, enter the Auth API Key and the Auth Domain.
      3. Click Save.
    • Okta > SAML — Requires users to enter their Okta credentials in the primary sign-in page and enable IDP-initiated access to the Endpoint Defense console.

      The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.

      Do these actions:

      1. Enter a name for the authenticator.
      2. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required.
      3. In the Login request URL field, enter the identity provider's single sign-on URL.
      4. In the IDP signing certificate field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.

        When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.

      5. In the SP Entity ID field, enter the "Audience URI (SP Entity ID)" that you recorded in the Okta portal. This field is required. The "SP Entity ID" value must match the "Audience URI (SP Entity ID)" value that you recorded in the IDP console.
      6. In the IDP entity ID field, paste the "IdentityProvider Issuer" that you recorded from Okta.
      7. In the Name ID format field, select the NameID format that you specified in the Okta (for example, urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
      8. In the Email Claim field, enter Email. This must match the "Attribute" name that you configured in the Okta console. The Email address ensures the correct user is signing in to the management console.
      9. Specify any other optional settings.
      10. Click Save.
      11. Open the Authenticator that you added. Record the Single Sign On URL. This URL is added to these fields in the Okta console > SAML Settings screen.
        • Single Sign On URL
        • Requestable SSO URLs
    • Okta > OIDC — Requires users to authenticate using Okta.
      Do these actions:
      1. Enter a name for the authenticator.
      2. In the Identity Provider Client section, enter the OIDC discovery document URL, the Client ID, and the Private key JWKS.
      3. Click Save.
    • One-Time Password — Requires users to enter a one-time password in addition to another type of authentication.
      Note: If you select this option, you must also add another authenticator to your authentication policy and rank it higher than the one-time password.
      Do these actions:
      1. Enter a name for the authenticator.
      2. In the One-Time Password Configuration section, in the first list, select a number of intervals in the list. Any code within the window is valid if it precedes or follows the expected code by the number of refresh intervals that you specify. The refresh interval is 30 seconds, and the default setting is 1.
      3. In the One-Time Password Configuration section, in the second list, specify the number of times that users can skip the OTP app setup and authenticate without entering a code.
    • Ping Identity > OIDC — Requires users to authenticate using Ping Identity.
      Do these actions:
      1. Enter a name for the authenticator.
      2. In the Identity Provider Client section, enter the OIDC discovery document URL, the client ID, and the private key JWKS.
      3. In the ID token signing algorithm list, select a signing algorithm.
      4. Click Save.
    • Ping Identity > SAML — Requires users to enter their Ping Identity credentials in the primary sign-in page and enable IDP-initiated access to the Endpoint Defense console.

      The SSO Callback URL is generated when you add the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.

      Do these actions:

      1. Enter a name for the authenticator.
      2. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required.
      3. In the Login request URL field, enter the identity provider's single sign-on URL.
      4. In the IDP signing certificate field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.

        When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.

      5. In the SP Entity ID field, enter the "Entity ID" that you recorded in the PingOne console. This field is required. The "SP Entity ID" value must match the "Entity ID" value that you recorded in the IDP console.
      6. Specify any other optional settings.
      7. Click Save.
      8. Open the Authenticator that you added. Record the Single Sign On URL. This URL is required in these PingOne console Configuration screen fields:
        • Assertion Consumer Service (ACS)
        • Application URL
    • IP Address — Requires restricted user access based on their IP address. You can create multiple IP address authenticators and use them to manage access for different groups, but you can only assign one IP address authenticator in a policy.
      CAUTION: IP Address authenticators should be used in combination with other authenticators in an authentication policy. Using an IP Address authenticator alone in an authentication policy does not provide sufficient authentication to secure access to your console.

      Do these actions:

      1. Enter a name for the authenticator.
      2. In the IP address ranges field, specify one or more IP addresses, IP ranges, or CIDRs. Separate entries with a comma. For example, IP range: 192.168.0.100-192.168.1.255 or CIDR: 192.168.0.10/24.
      3. Click Save.
    • OneLogin > OIDC — Requires users to authenticate using OneLogin.
      Do these actions:
      1. Enter a name for the authenticator.
      2. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required.
      3. In the OneLogin Configuration section, enter the OIDC discovery document URL, the Client ID, Client Secret, and Authentication Method.
      4. Click Save.
    • OneLogin (SAML) — Requires users to enter their OneLogin credentials in the primary sign-in page and enable IDP-initiated access to the Endpoint Defense console.

      The SSO Callback URL is generated when you save the authenticator and will be in the format https://login.eid.blackberry.com/_/resume/saml20/<hash>.

      Do these actions:

      1. Enter a name for the authenticator.
      2. If you want users to validate their email with a one-time code when they log in for the first time, turn on Validation required.
      3. In the Login request URL field, enter the identity provider's single sign-on URL.
      4. In the IDP signing certificate field, paste the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.

        When you copy and paste the body of the certificate, make sure that you don't alter any line breaks or the format of the certificate information.

      5. In the SP Entity ID field, enter the "Identifier (Entity ID)" that you recorded in the OneLogin console. This field is required. The "SP Entity ID" value must match the "Identifier (Entity ID)" value that you recorded in the IDP console.
      6. Specify any other optional settings.
      7. Click Save.
      8. Open the Authenticator that you added. Record the Single Sign On URL. This URL will be added to these fields in the OneLogin console:
        • ACS (Consumer) URL Validator*
        • ACS (Consume) URL*
        • Single Logout URL
    • FIDO — Requires users to register a FIDO2 device and use it verify their identity. Supported device types include smartphones, USB security keys, or Windows Hello.

      Do these actions:

      1. Enter a name for the authenticator.
      2. Click Save.

      When FIDO is the first factor of authentication and a user registers a device for the first time, a one-time password is also sent to the email address that they use to sign in. When FIDO is used as a second factor in a policy, a one-time password isn't required when a user registers a device for the first time.

      For information about how to remove registered devices from a user account, see Remove a registered FIDO device for a user account in the Administration content.

    • Integrated Directory (Active Directory/Entra ID/LDAP) — Requires users to enter their Active Directory password. If you select this option, your Aurora Endpoint Security tenant must have a connection to the company directory instance. For more information, see Linking to your company directory.
      Do these actions:
      1. Enter a name for the authenticator.
      2. Click Save.
    • Local Account — Requires users to enter their BlackBerry Online Account (myAccount) credentials.
      Do these actions:
      1. Enter a name for the authenticator.
      2. Click Save.
  4. Click Save.
Add a User Policy for authentication and Configure the Default Authentication policies for your tenant..