Cisco Cisco Web Security Appliance S360 User Guide

After you generate on or upload a certificate and key to the appliance, you must upload the same 
certificate to each SaaS application with which the Web Security appliance will communicate. You 
can do this by downloading the certificate from the appliance first.

Make note of the settings you configure when you configure the Web Security appliance as an 
identity provider. Some of these settings must be used when configuring the SaaS application for 
single sign-on. It is easiest to keep open a connection to the Web Security appliance and the SaaS 
application simultaneously. You will need to go back and forth between both components and copy 
and paste information between both

The appliance constructs a single sign-on (SSO) login URL for each SaaS application based on the 
value you enter the Identity Provider Domain Name field and the SaaS application name configured 
in the SaaS policy. For more information, see 

Navigate to the Security Services > Identity Provider for SaaS page.

Click Edit Settings.

In the Identity Provider Domain Name field, enter a virtual domain name to use to access the Web 
Security appliance as an identity provider instance. 

The identity provider domain name should be resolvable within the network. For example, within the 
organization “example.com,” a transparent request to “http://idp.example.com/” should be network 
routable and can reach to the Web Security appliance within the network perimeter. 

If you intend to use multiple Web Security appliances with SaaS Access Control, you must enter the 
same Identity Provider Domain Name for each Web Security appliance. If you have only one appliance, 
you can use the appliance hostname as the Identity Provider Domain Name. For more information, see 

In the Identity Provider Entity ID field, enter the text you want to use that uniquely identifies this Web 
Security appliance as an identity provider to all SaaS applications it will communicate with.

A URI format based string is recommended, but you can enter any unique string. The URI string does 
not have to be network accessible. Record the value you enter here because you will need to use the same 
value when you configure the SaaS application for single sign-on. 

If you intend to use multiple Web Security appliances with SaaS Access Control, you must enter the 
same Identity Provider Entity ID for each Web Security appliance. For more information, see 

Configure a signing certificate the appliance should use when it communicates using a secure connection 
(in the SAML flow) with service providers. You can use either of the following methods to configure the 
certificate: 

Uploaded certificate and key. Go to step 

Generated certificate and key. Go to step 

.

If the appliance has both an uploaded certificate and key pair and a generated certificate and key 
pair, it only uses the certificate and key pair currently selected in the Signing Certificate section.

To upload a root certificate and key:

Click Use Uploaded Certificate and Key.