Cisco Cisco Web Security Appliance S360 User Guide
15-4
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 15 Controlling Access to SaaS Applications
Understanding How SaaS Access Control Works
Authentication Requirements
Some service providers require a particular authentication mechanism to allow users to access the SaaS
application. If a service provider requires an authentication context that is not supported by an identity
provider, users cannot access the service provider using single sign-on from the identity provider.
application. If a service provider requires an authentication context that is not supported by an identity
provider, users cannot access the service provider using single sign-on from the identity provider.
Therefore, SaaS Access Control only works with SaaS applications that require an authentication
mechanism supported by the Web Security appliance. Currently, the Web Proxy uses the
“PasswordProtectedTransport” authentication mechanism. You configure this value when you create a
SaaS Application Authentication Policy using the Authentication Context setting. However,
administrators typically choose “Automatic” as the Authentication Context setting.
mechanism supported by the Web Security appliance. Currently, the Web Proxy uses the
“PasswordProtectedTransport” authentication mechanism. You configure this value when you create a
SaaS Application Authentication Policy using the Authentication Context setting. However,
administrators typically choose “Automatic” as the Authentication Context setting.
For more information on creating SaaS Application Authentication Policies, see
Enabling SaaS Access Control
To enable SaaS Access Control, you must configure settings on both the Web Security appliance and the
SaaS application. It is very important that the settings you configure on the appliance and SaaS
application match each other appropriately.
SaaS application. It is very important that the settings you configure on the appliance and SaaS
application match each other appropriately.
When enabling SaaS Access Control, it is easiest to keep open a connection to the Web Security
appliance and the SaaS application simultaneously. You will need to go back and forth between both
components and copy and paste information between both.
appliance and the SaaS application simultaneously. You will need to go back and forth between both
components and copy and paste information between both.
Note
For more information on configuring SaaS Access Control for particular SaaS applications, contact your
technical sales representative or search the cisco.com website for additional information, such as white
papers, knowledge base articles, or video tutorials.
technical sales representative or search the cisco.com website for additional information, such as white
papers, knowledge base articles, or video tutorials.
To use SaaS Access Control, follow these steps:
1.
Configure the Web Security appliance as an identity provider. For more information, see
.
2.
Configure the SaaS application for single sign-on. When configuring the SaaS application, you
must also upload the certificate used on the Security Services > Identity Provider for SaaS page. For
more information, see the SaaS application documentation.
must also upload the certificate used on the Security Services > Identity Provider for SaaS page. For
more information, see the SaaS application documentation.
3.
Create one or more SaaS Application Authentication Policies for each SaaS application. For
more information, see
more information, see
Understanding the Single Sign-On URL
After you configure the Web Security appliance as an identity provider and create a SaaS Application
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
How administrators use this URL depends on the flow type:
•
Identity provider initiated flows. Administrators should make the single sign-on URL available to
end users to access this SaaS application. For example, administrators can create an internal web
page that includes this URL as a link. After users login, the appliance redirects users to the SaaS
application.
end users to access this SaaS application. For example, administrators can create an internal web
page that includes this URL as a link. After users login, the appliance redirects users to the SaaS
application.