Cisco Cisco Web Security Appliance S670 User Guide
7-5
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 7 SaaS Access Control
Creating SaaS Application Authentication Policies
Metadata for
Service Provider
Service Provider
Configure the metadata that describes the service provider referenced in this
policy. You can either describe the service provider properties manually or
upload a metadata file provided by the SaaS application.
policy. You can either describe the service provider properties manually or
upload a metadata file provided by the SaaS application.
The Web Security appliance uses the metadata to determine how to
communicate with the SaaS application (service provider) using SAML. Contact
the SaaS application to learn the correct settings to configure the metadata.
communicate with the SaaS application (service provider) using SAML. Contact
the SaaS application to learn the correct settings to configure the metadata.
Configure Keys Manually – If you select this option, provide the following:
•
Service Provider Entity ID. Enter the text (typically in URI format) the
SaaS application uses to identify itself as a service provider.
SaaS application uses to identify itself as a service provider.
•
Name ID Format. Choose from the drop-down list the format the
appliance should use to identify users in the SAML assertion it sends to
service providers. The value you enter here must match the
corresponding setting configured on the SaaS application.
appliance should use to identify users in the SAML assertion it sends to
service providers. The value you enter here must match the
corresponding setting configured on the SaaS application.
•
Assertion Consumer Service URL. Enter the URL to which the Web
Security appliance is to send the SAML assertion it creates. Read the
SaaS application documentation to determine the correct URL to use
(also known as the login URL).
Security appliance is to send the SAML assertion it creates. Read the
SaaS application documentation to determine the correct URL to use
(also known as the login URL).
Import File from Hard Disk – If you select this option, click Browse, locate
the file, and then click Import.
the file, and then click Import.
Note
This metadata file is an XML document, following the SAML
standard, that describes a service provider instance. Not all SaaS
applications use metadata files, but for those that do, contact the
SaaS application provider for the file.
standard, that describes a service provider instance. Not all SaaS
applications use metadata files, but for those that do, contact the
SaaS application provider for the file.
User Identification /
Authentication for
SaaS SSO
Authentication for
SaaS SSO
Specify how users are identified/authenticated for SaaS single sign-on:
•
Always prompt users for their local authentication credentials.
•
Prompt users for their local authentication credentials if the Web Proxy
obtained their user names transparently.
obtained their user names transparently.
•
Automatically sign in SaaS users using their local authentication
credentials.
credentials.
Choose the authentication realm or sequence the Web Proxy should use to
authenticate users accessing this SaaS application. Users must be a member
of the authentication realm or authentication sequence to successfully access
the SaaS application. If an Identity Services Engine is used for
authentication, and LDAP was selected, the realm will be used for the SAML
user names and attribute mapping.
authenticate users accessing this SaaS application. Users must be a member
of the authentication realm or authentication sequence to successfully access
the SaaS application. If an Identity Services Engine is used for
authentication, and LDAP was selected, the realm will be used for the SAML
user names and attribute mapping.
Property
Description