Cisco Cisco Web Security Appliance S670 User Guide
Chapter 14 Controlling Access to SaaS Applications
Understanding How SaaS Access Control Works
14-2
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
When you enable Cisco SaaS Access Control, users log into the configured SaaS
applications using their network authentication user credentials. That means they
use the same user name and password for all SaaS applications as well as network
access. You can choose whether users are transparently signed in (single sign-on
functionality) or prompted to enter their authentication user name and password.
applications using their network authentication user credentials. That means they
use the same user name and password for all SaaS applications as well as network
access. You can choose whether users are transparently signed in (single sign-on
functionality) or prompted to enter their authentication user name and password.
Using Cisco SaaS Access Control with the proper access controls of your SaaS
application allows you to:
application allows you to:
•
Control which users can access SaaS applications and from where.
•
Increase usability for end users by requiring them to remember only one
password.
password.
•
Quickly disable access to all SaaS applications when users are no longer
employed by the organization. This is sometimes referred to as “zero day
revocation.”
employed by the organization. This is sometimes referred to as “zero day
revocation.”
•
Reduce the risk of phishing attacks that ask users to enter their SaaS user
credentials.
credentials.
Understanding How SaaS Access Control Works
The SaaS Access Control solution uses the Security Assertion Markup Language
(SAML) to authorize access to SaaS applications. It works with SaaS applications
that are strictly compliant with SAML version 2.0.
(SAML) to authorize access to SaaS applications. It works with SaaS applications
that are strictly compliant with SAML version 2.0.
SAML is an XML-based standard for exchanging authentication and
authorization data between different secure networks, sometimes referred to as
security domains. The main problem that SAML solves is single sign-on between
different security domains. Typically, this is users in one domain accessing a
network (a different domain) using a web browser. This is sometimes referred to
as web browser single sign-on.
authorization data between different secure networks, sometimes referred to as
security domains. The main problem that SAML solves is single sign-on between
different security domains. Typically, this is users in one domain accessing a
network (a different domain) using a web browser. This is sometimes referred to
as web browser single sign-on.
To achieve web browser single sign-on, a SAML dialogue must be engaged by an
entity in each domain, which SAML defines using the following terms:
entity in each domain, which SAML defines using the following terms:
•
Identity provider. An identity provider is an entity that produces SAML
assertions. The identity provider is expected to authenticate its end users
before producing a SAML assertion. The Web Security appliance is an
identity provider.
assertions. The identity provider is expected to authenticate its end users
before producing a SAML assertion. The Web Security appliance is an
identity provider.