Cisco Cisco Web Security Appliance S360 User Guide
15-6
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 15 Controlling Access to SaaS Applications
Configuring the Appliance as an Identity Provider
•
After you generate on or upload a certificate and key to the appliance, you must upload the same
certificate to each SaaS application with which the Web Security appliance will communicate. You
can do this by downloading the certificate from the appliance first.
certificate to each SaaS application with which the Web Security appliance will communicate. You
can do this by downloading the certificate from the appliance first.
•
Make note of the settings you configure when you configure the Web Security appliance as an
identity provider. Some of these settings must be used when configuring the SaaS application for
single sign-on. It is easiest to keep open a connection to the Web Security appliance and the SaaS
application simultaneously. You will need to go back and forth between both components and copy
and paste information between both
identity provider. Some of these settings must be used when configuring the SaaS application for
single sign-on. It is easiest to keep open a connection to the Web Security appliance and the SaaS
application simultaneously. You will need to go back and forth between both components and copy
and paste information between both
•
The appliance constructs a single sign-on (SSO) login URL for each SaaS application based on the
value you enter the Identity Provider Domain Name field and the SaaS application name configured
in the SaaS policy. For more information, see
value you enter the Identity Provider Domain Name field and the SaaS application name configured
in the SaaS policy. For more information, see
Step 1
Navigate to the Security Services > Identity Provider for SaaS page.
Step 2
Click Edit Settings.
Step 3
In the Identity Provider Domain Name field, enter a virtual domain name to use to access the Web
Security appliance as an identity provider instance.
Security appliance as an identity provider instance.
The identity provider domain name should be resolvable within the network. For example, within the
organization “example.com,” a transparent request to “http://idp.example.com/” should be network
routable and can reach to the Web Security appliance within the network perimeter.
organization “example.com,” a transparent request to “http://idp.example.com/” should be network
routable and can reach to the Web Security appliance within the network perimeter.
Note
If you intend to use multiple Web Security appliances with SaaS Access Control, you must enter the
same Identity Provider Domain Name for each Web Security appliance. If you have only one appliance,
you can use the appliance hostname as the Identity Provider Domain Name. For more information, see
same Identity Provider Domain Name for each Web Security appliance. If you have only one appliance,
you can use the appliance hostname as the Identity Provider Domain Name. For more information, see
Step 4
In the Identity Provider Entity ID field, enter the text you want to use that uniquely identifies this Web
Security appliance as an identity provider to all SaaS applications it will communicate with.
Security appliance as an identity provider to all SaaS applications it will communicate with.
A URI format based string is recommended, but you can enter any unique string. The URI string does
not have to be network accessible. Record the value you enter here because you will need to use the same
value when you configure the SaaS application for single sign-on.
not have to be network accessible. Record the value you enter here because you will need to use the same
value when you configure the SaaS application for single sign-on.
Note
If you intend to use multiple Web Security appliances with SaaS Access Control, you must enter the
same Identity Provider Entity ID for each Web Security appliance. For more information, see
same Identity Provider Entity ID for each Web Security appliance. For more information, see
Step 5
Configure a signing certificate the appliance should use when it communicates using a secure connection
(in the SAML flow) with service providers. You can use either of the following methods to configure the
certificate:
(in the SAML flow) with service providers. You can use either of the following methods to configure the
certificate:
•
Uploaded certificate and key. Go to step
•
Generated certificate and key. Go to step
.
Note
If the appliance has both an uploaded certificate and key pair and a generated certificate and key
pair, it only uses the certificate and key pair currently selected in the Signing Certificate section.
pair, it only uses the certificate and key pair currently selected in the Signing Certificate section.
Step 6
To upload a root certificate and key:
a.
Click Use Uploaded Certificate and Key.