Migrate custom authentication settings to the authenticators list

You can migrate your existing SAML authenticators to the authenticators list in Settings so that you add them to authentication policies for users and groups or your tenant. When you migrate the authenticators, you must update the single sign-on URL to the URL used by Aurora Endpoint Security. You must also update the NameID claim in your external IDP configuration so that it returns a persistent, immutable value instead of a user's email address or create a claim in the identity provider that can be used as the Federated ID claim.

Before you migrate your settings, as a failsafe, you should create one authentication policy that requires only the Endpoint Defense console password and assign it to one administrator.

Note: When you migrate the custom authentication settings, in the external identity provider, you must add this Cylance Endpoint Security login request URL: https://idp.blackberry.com/_/resume. Because external SAML configurations support a list of single sign-on or assertion consumer service reply URLs, in existing configurations, you can add the new URL to the list as a secondary option or replace the original. 

For more information about SAML authenticators, see Considerations for adding SAML authenticators.

Download a copy of the signing certificate for your IDP.
  1. In the management console, on the menu bar, click Settings > Application.
  2. In the Custom authentication section, do these actions:
    1. Copy this information to a text file:
      • Provider name
      • Login URL
    2. Select the Allow Password Login checkbox. For more information, see Configure custom authentication.
  3. On the menu bar, click Settings > Authentication.
  4. On the Authenticators tab, click Add authenticator.
  5. In the Authenticator Type list, click the SAML authenticator that corresponds to the provider you copied in step 2 (for example, Entra or Okta) or click Custom SAML.
  6. In the General Information section, enter a name for the authenticator.
  7. In the SAML Configuration section, if you want to require users to validate their email with a one-time code when they log in for the first time, turn on Validation required.
  8. In the Login request URL field, enter the single sign-on URL for the identity provider.
  9. In the IDP signing certificate field, paste the the body of the signing certificate that you downloaded, including the Begin Certificate and End Certificate lines.
    When you copy and paste the body of the certificate, make sure that you don't change any line breaks or the format of the certificate information.
  10. Do one of these actions:

    Task

    Steps

    Update the NameID and email claim values in the external identity provider.
    1. Sign in to your external identity provider.
    2. Update the single sign-on URL for Aurora Endpoint Security to https://idp.blackberry.com/_/resume. You can add this URL to the existing login.<region>.cylance.com URL.
    3. Edit the NameID claim so that it returns a persistent, immutable value (for example, objectGUID or a UUID) that can be used in the Federated ID claim instead of the user's email address. For instructions, see the documentation from the identity provider.
    4. Create a new email claim that will return the user's email address.

    Create a new claim in your external identity provider and add it to the authenticator settings.
    1. Sign in to your external identity provider.
    2. Update the single sign-on URL for Aurora Endpoint Security to https://idp.blackberry.com/_/resume. You can add this URL to the existing login.<region>.cylance.com URL.
    3. Create a new claim that returns a persistent, immutable ID for a user. For instructions, see the documentation from the identity provider.
    4. In the Endpoint Defense management console, in the Email claim field, enter nameID. The nameID value must use a lowercase "n."
    5. In the Federated ID claim field, enter the name of the new claim that you created in the external identity provider.
  11. Click Save.
  • Add a User Policy for authentication.
  • If you encounter issues logging in using the SAML authenticator in an authentication policy, you can download a sample SAML response from your IDP and validate the claim names.