Cisco Cisco Web Security Appliance S670 Betriebsanweisung
14-7
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 14 Controlling Access to SaaS Applications
Configuring the Appliance as an Identity Provider
•
Upload the same certificate and private key to each appliance on the Security
Services > Identity Provider for SaaS page. Then upload this certificate to
each SaaS application you configure.
Services > Identity Provider for SaaS page. Then upload this certificate to
each SaaS application you configure.
Configuring the Appliance as an Identity Provider
When you configure the Web Security appliance as an identity provider, the
settings you define apply to all SaaS applications it communicates with. The Web
Security appliance uses a certificate and key to sign each SAML assertion it
creates. You can either upload or generate the certificate and key.
settings you define apply to all SaaS applications it communicates with. The Web
Security appliance uses a certificate and key to sign each SAML assertion it
creates. You can either upload or generate the certificate and key.
After you choose which certificate and key to use for signing SAML assertions,
you must upload the certificate to each SaaS application. You can do this using
the Download Certificate link in the Signing Certificate area. Uploading the
certificate ensures the SaaS application (service provider) has the Web Security
appliance public key in order to form a trusted relationship between the service
provider and the Web Security appliance (identity provider).
you must upload the certificate to each SaaS application. You can do this using
the Download Certificate link in the Signing Certificate area. Uploading the
certificate ensures the SaaS application (service provider) has the Web Security
appliance public key in order to form a trusted relationship between the service
provider and the Web Security appliance (identity provider).
Consider the following rules and guidelines when you configure the Web Security
appliance as an identity provider:
appliance as an identity provider:
•
The identity provider domain name must be resolvable within the network.
For example, within the organization “example.com,” a transparent request to
“http://idp.example.com/” should be network routable and can reach to the
Web Security appliance within the network perimeter.
For example, within the organization “example.com,” a transparent request to
“http://idp.example.com/” should be network routable and can reach to the
Web Security appliance within the network perimeter.
•
If you intend to use multiple Web Security appliances with SaaS Access
Control, you must enter the same Identity Provider Domain Name for each
appliance and the same Identity Provider Entity ID for each appliance. For
more information, see
Control, you must enter the same Identity Provider Domain Name for each
appliance and the same Identity Provider Entity ID for each appliance. For
more information, see
.
•
After you generate on or upload a certificate and key to the appliance, you
must upload the same certificate to each SaaS application with which the Web
Security appliance will communicate. You can do this by downloading the
certificate from the appliance first.
must upload the same certificate to each SaaS application with which the Web
Security appliance will communicate. You can do this by downloading the
certificate from the appliance first.
•
Make note of the settings you configure when you configure the Web Security
appliance as an identity provider. Some of these settings must be used when
configuring the SaaS application for single sign-on. It is easiest to keep open
appliance as an identity provider. Some of these settings must be used when
configuring the SaaS application for single sign-on. It is easiest to keep open