Cisco Cisco Web Security Appliance S670 User Guide
8-6
Cisco AsyncOS for Web User Guide
Chapter 8 SaaS Access Control
Configuring End-User Access to the Single Sign-On URL
Step 4
Submit and Commit Changes.
Next Steps
•
Download the certificate and install it on the application website. Security Services > Identity
Provider for SaaS > Edit Settings > click Download Certificate
Provider for SaaS > Edit Settings > click Download Certificate
•
Set up the single sign-on settings on the SaaS application side, using the same parameters to
configure the application.
configure the application.
Configuring End-User Access to the Single Sign-On URL
After you configure the Web Security appliance as an identity provider and create a SaaS Application
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
The Web Security appliance uses the application name configured in the SaaS Application
Authentication Policy to generate the single sign-on URL. The single sign-on URL format is:
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
The Web Security appliance uses the application name configured in the SaaS Application
Authentication Policy to generate the single sign-on URL. The single sign-on URL format is:
http://IdentityProviderDomainName/SSOURL/ApplicationName
Step 1
Obtain the single sign-on URL from the Web Security Manager> SaaS Policies page
Step 2
Make the URL available to end-users depending on which flow type
Step 3
If you choose Identity provider initiated flow, the appliance redirects users to the SaaS application
Step 4
If you choose Service Provider initiated flows, you must configure this URL in the SaaS application.
•
Always prompt SaaS users for proxy authentication. After entering valid credentials, users are
logged into the SaaS application.
logged into the SaaS application.
•
Transparently sign in SaaS users. Users are logged into the SaaS application automatically.
Note
To achieve single sign-on behavior using explicit forward requests for all authenticated users when the
appliance is deployed in transparent mode, select “Apply same surrogate settings to explicit forward
requests” when you configure the Identity group.
appliance is deployed in transparent mode, select “Apply same surrogate settings to explicit forward
requests” when you configure the Identity group.
SAML
Attribute
Mapping
Attribute
Mapping
(Optional) You can provide to the SaaS application additional information about the
internal users from the LDAP authentication server if required by the SaaS
application. Map each LDAP server attribute to a SAML attribute.
internal users from the LDAP authentication server if required by the SaaS
application. Map each LDAP server attribute to a SAML attribute.
Authentication
Context
Context
From the Authentication drop-down list, choose the authentication mechanism the
Web Proxy uses to authenticate its internal users.
Web Proxy uses to authenticate its internal users.
Note
The authentication context informs the service provider which authentication
mechanism the identity provider used to authenticate the internal users. Some
service providers require a particular authentication mechanism to allow users
to access the SaaS application. If a service provider requires an authentication
context that is not supported by an identity provider, users cannot access the
service provider using single sign-on from the identity provider.
mechanism the identity provider used to authenticate the internal users. Some
service providers require a particular authentication mechanism to allow users
to access the SaaS application. If a service provider requires an authentication
context that is not supported by an identity provider, users cannot access the
service provider using single sign-on from the identity provider.
Property
Description