The Carbon Black App Control Console can be integrated with identity providers (IdPs) that use the Security Assertion Markup Language (SAML). This integration allows you to require two-factor authentication (2FA) for logging in to the Carbon Black App Control Console for compliance purposes or to meet your own best practice standards.

Integrating a SAML identity provider with Carbon Black App Control requires the following:

  • An account with an IdP whose sign-on and logout locations have a binding of type HTTP-redirect.
  • For each IdP identity, mapping requires specification of an email address from the IdP account using one of the following attributes:
    • A NameID of type urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • An attribute with the name EmailAddress (capitalized as shown here)
  • A Carbon Black App Control login account matching the value of NameID or EmailAddress for each IdP user you want to give access to the console. If you are unfamiliar with creation of login accounts, see Creating Login Accounts in the Console for instructions.

    Note: This integration allows you to use SAML to authenticate existing Carbon Black App Control accounts. It does not import accounts from an IdP to Carbon Black App Control. If both NameID and EmailAddress are found, the EmailAddress attribute is always used, and it must match the email address in an Carbon Black App Control account. NameID is not used as a backup if EmailAddress exists.
  • Completion of the configuration procedures that are described in this section.