Cisco Cisco Web Security Appliance S170 Guía Del Usuario
15-5
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 15 Controlling Access to SaaS Applications
Configuring the Appliance as an Identity Provider
•
Service Provider initiated flows. Administrators should configure this URL in the SaaS
application. The SaaS application uses the single sign-on URL to redirect the browser session
depending on the “SaaS SSO Authentication Prompt” setting in the policy group:
application. The SaaS application uses the single sign-on URL to redirect the browser session
depending on the “SaaS SSO Authentication Prompt” setting in the policy group:
–
Always prompt SaaS users for proxy authentication. A Web Security appliance page appears
where users can enter their local authentication credentials. After entering valid credentials,
users are logged into the SaaS application.
where users can enter their local authentication credentials. After entering valid credentials,
users are logged into the SaaS application.
–
Transparently sign in SaaS users. Users are logged into the SaaS application automatically.
The Web Security appliance uses the application name configured in the SaaS Application
Authentication Policy to generate the single sign-on URL. You can view the single sign-on URL on the
Web Security Manager > SaaS Policies page after you submit the changes.
Authentication Policy to generate the single sign-on URL. You can view the single sign-on URL on the
Web Security Manager > SaaS Policies page after you submit the changes.
The single sign-on URL format is:
http://IdentityProviderDomainName/SSOURL/ApplicationName
Therefore, when the appliance Identity Provider Domain Name is idp.example.com and the application
name in the SaaS Application Authentication Policy is GoogleApps, the single sign-on URL is:
name in the SaaS Application Authentication Policy is GoogleApps, the single sign-on URL is:
http://idp.example.com/SSOURL/GoogleApps
Using SaaS Access Control with Multiple Appliances
When you use multiple Web Security appliances with SaaS Access Control, you must perform the
following steps:
following steps:
•
Configure the same Identity Provider Domain Name for each Web Security appliance.
•
Configure the same Identity Provider Entity ID for each Web Security appliance.
•
Upload the same certificate and private key to each appliance on the Security Services > Identity
Provider for SaaS page. Then upload this certificate to each SaaS application you configure.
Provider for SaaS page. Then upload this certificate to each SaaS application you configure.
Configuring the Appliance as an Identity Provider
When you configure the Web Security appliance as an identity provider, the settings you define apply to
all SaaS applications it communicates with. The Web Security appliance uses a certificate and key to
sign each SAML assertion it creates. You can either upload or generate the certificate and key.
all SaaS applications it communicates with. The Web Security appliance uses a certificate and key to
sign each SAML assertion it creates. You can either upload or generate the certificate and key.
After you choose which certificate and key to use for signing SAML assertions, you must upload the
certificate to each SaaS application. You can do this using the Download Certificate link in the Signing
Certificate area. Uploading the certificate ensures the SaaS application (service provider) has the Web
Security appliance public key in order to form a trusted relationship between the service provider and
the Web Security appliance (identity provider).
certificate to each SaaS application. You can do this using the Download Certificate link in the Signing
Certificate area. Uploading the certificate ensures the SaaS application (service provider) has the Web
Security appliance public key in order to form a trusted relationship between the service provider and
the Web Security appliance (identity provider).
Consider the following rules and guidelines when you configure the Web Security appliance as an
identity provider:
identity provider:
•
The identity provider domain name must be resolvable within the network. For example, within the
organization “example.com,” a transparent request to “http://idp.example.com/” should be network
routable and can reach to the Web Security appliance within the network perimeter.
organization “example.com,” a transparent request to “http://idp.example.com/” should be network
routable and can reach to the Web Security appliance within the network perimeter.
•
If you intend to use multiple Web Security appliances with SaaS Access Control, you must enter the
same Identity Provider Domain Name for each appliance and the same Identity Provider Entity ID
for each appliance. For more information, see
same Identity Provider Domain Name for each appliance and the same Identity Provider Entity ID
for each appliance. For more information, see
.