Cisco Cisco Web Security Appliance S160 Guía Del Usuario
15-5
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 15 Controlling Access to SaaS Applications
Configuring the Appliance as an Identity Provider
•
Identity provider initiated flows. Administrators should make the single sign-on URL available to
end users to access this SaaS application. For example, administrators can create an internal web
page that includes this URL as a link. After users login, the appliance redirects users to the SaaS
application.
end users to access this SaaS application. For example, administrators can create an internal web
page that includes this URL as a link. After users login, the appliance redirects users to the SaaS
application.
•
Service Provider initiated flows. Administrators should configure this URL in the SaaS
application. The SaaS application uses the single sign-on URL to redirect the browser session
depending on the “SaaS SSO Authentication Prompt” setting in the policy group:
application. The SaaS application uses the single sign-on URL to redirect the browser session
depending on the “SaaS SSO Authentication Prompt” setting in the policy group:
–
Always prompt SaaS users for proxy authentication. A Web Security appliance page appears
where users can enter their local authentication credentials. After entering valid credentials,
users are logged into the SaaS application.
where users can enter their local authentication credentials. After entering valid credentials,
users are logged into the SaaS application.
–
Transparently sign in SaaS users. Users are logged into the SaaS application automatically.
The Web Security appliance uses the application name configured in the SaaS Application
Authentication Policy to generate the single sign-on URL. You can view the single sign-on URL on the
Web Security Manager > SaaS Policies page after you submit the changes.
Authentication Policy to generate the single sign-on URL. You can view the single sign-on URL on the
Web Security Manager > SaaS Policies page after you submit the changes.
The single sign-on URL format is:
http://IdentityProviderDomainName/SSOURL/ApplicationName
Therefore, when the appliance Identity Provider Domain Name is idp.example.com and the application
name in the SaaS Application Authentication Policy is GoogleApps, the single sign-on URL is:
name in the SaaS Application Authentication Policy is GoogleApps, the single sign-on URL is:
http://idp.example.com/SSOURL/GoogleApps
Using SaaS Access Control with Multiple Appliances
When you use multiple Web Security appliances with SaaS Access Control, you must perform the
following steps:
following steps:
•
Configure the same Identity Provider Domain Name for each Web Security appliance.
•
Configure the same Identity Provider Entity ID for each Web Security appliance.
•
Upload the same certificate and private key to each appliance on the Security Services > Identity
Provider for SaaS page. Then upload this certificate to each SaaS application you configure.
Provider for SaaS page. Then upload this certificate to each SaaS application you configure.
Configuring the Appliance as an Identity Provider
When you configure the Web Security appliance as an identity provider, the settings you define apply to
all SaaS applications it communicates with. The Web Security appliance uses a certificate and key to
sign each SAML assertion it creates. You can either upload or generate the certificate and key.
all SaaS applications it communicates with. The Web Security appliance uses a certificate and key to
sign each SAML assertion it creates. You can either upload or generate the certificate and key.
After you choose which certificate and key to use for signing SAML assertions, you must upload the
certificate to each SaaS application. You can do this using the Download Certificate link in the Signing
Certificate area. Uploading the certificate ensures the SaaS application (service provider) has the Web
Security appliance public key in order to form a trusted relationship between the service provider and
the Web Security appliance (identity provider).
certificate to each SaaS application. You can do this using the Download Certificate link in the Signing
Certificate area. Uploading the certificate ensures the SaaS application (service provider) has the Web
Security appliance public key in order to form a trusted relationship between the service provider and
the Web Security appliance (identity provider).
Note
When AsyncOS for Web runs on a FIPS-compliant Web Security appliance, you must use the FIPS
management console to generate or upload the signing certificate and key pair. When you generate or
upload certificates and keys using the FIPS management console, the keys are protected by the HSM
card. For more information on using the FIPS management console, see
management console to generate or upload the signing certificate and key pair. When you generate or
upload certificates and keys using the FIPS management console, the keys are protected by the HSM
card. For more information on using the FIPS management console, see