Cisco Cisco Web Security Appliance S690 User Guide

7-2

AsyncOS 8.5 for Cisco Web Security Appliances User Guide

Chapter 7 SaaS Access Control

Authenticate SaaS Users

Step 1

Configure the “PasswordProtectedTransport” value when you create a SaaS Application Authentication
Policy using the Authentication Context setting

Step 2

Choose “Automatic” as the Authentication Context setting.

Related topics

•

Creating SaaS Application Authentication Policies, page 7-4

Certificates and Keys

When the browser prompts users to authenticate, the browser sends the authentication credentials to the
Web Proxy using a secure HTTPS connection. The appliance uses its own certificate and private key to
create an HTTPS connection with the client by default. Most browsers will warn users that the certificate
is not valid. To prevent users from seeing the invalid certificate message, you can upload a certificate
and key pair your organization uses.

Configuring the Appliance as an Identity Provider

When you configure the Web Security appliance as an identity provider, the settings you define apply to
all SaaS applications it communicates with. The Web Security appliance uses a certificate and key to
sign each SAML assertion it creates.

Before You Begin

•

(Optional) Locate a certificate (PEM format) and key for signing SAML assertions.

•

Upload the certificate to each SaaS application.

Step 1

Choose Security Services > Identity Provider for SaaS page.

Step 2

Click Edit Settings.

Step 3

In the Identity Provider Domain Name field enter a virtual domain name.

Step 4

In the Identity Provider Entity ID field enter text (a URI format based string is recommended)

Step 5

Either upload or generate a certificate and key:

Step 3

Configure the SaaS application for single
sign-on.

Configuring End-User Access to the Single
Sign-On URL, page 7-6

Step 4

(Optional) Configuring multiple web
security appliances

Using SaaS Access Control and Multiple Web
Security Appliances, page 7-4