Cisco Cisco Web Security Appliance S170 Guía Del Usuario
7-6
AsyncOS 8.6 for Cisco Web Security Appliances User Guide
Chapter 7 SaaS Access Control
Configuring End-user Access to the Single Sign-on URL
Step 4
Submit and Commit Changes.
Next Steps
•
Set up the single sign-on settings on the SaaS application side, using the same parameters to
configure the application.
configure the application.
Configuring End-user Access to the Single Sign-on URL
After you configure the Web Security appliance as an identity provider and create a SaaS Application
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
The Web Security appliance uses the application name configured in the SaaS Application Authentication
Policy to generate the single sign-on URL; the SSO URL format is:
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
The Web Security appliance uses the application name configured in the SaaS Application Authentication
Policy to generate the single sign-on URL; the SSO URL format is:
http://IdentityProviderDomainName/SSOURL/ApplicationName
Step 1
Obtain the single sign-on URL from the Web Security Manager > SaaS Policies page.
Step 2
Make the URL available to end-users depending on which flow type.
Step 3
If you choose Identity provider initiated flow, the appliance redirects users to the SaaS application.
Step 4
If you choose Service Provider initiated flows, you must configure this URL in the SaaS application.
•
Always prompt SaaS users for proxy authentication. After entering valid credentials, users are
logged into the SaaS application.
logged into the SaaS application.
•
Transparently sign in SaaS users. Users are logged into the SaaS application automatically.
Note
To achieve single sign-on behavior using explicit forward requests for all authenticated users when the
appliance is deployed in transparent mode, select “Apply same surrogate settings to explicit forward
requests” when you configure the Identity group.
appliance is deployed in transparent mode, select “Apply same surrogate settings to explicit forward
requests” when you configure the Identity group.
SAML Attribute
Mapping
Mapping
(Optional) You can provide to the SaaS application additional information
about the internal users from the LDAP authentication server if required by
the SaaS application. Map each LDAP server attribute to a SAML attribute.
about the internal users from the LDAP authentication server if required by
the SaaS application. Map each LDAP server attribute to a SAML attribute.
Authentication Context
Choose the authentication mechanism the Web Proxy uses to authenticate its
internal users.
internal users.
Note
The authentication context informs the service provider which
authentication mechanism the identity provider used to authenticate
the internal users. Some service providers require a particular
authentication mechanism to allow users to access the SaaS
application. If a service provider requires an authentication context
that is not supported by an identity provider, users cannot access the
service provider using single sign-on from the identity provider.
authentication mechanism the identity provider used to authenticate
the internal users. Some service providers require a particular
authentication mechanism to allow users to access the SaaS
application. If a service provider requires an authentication context
that is not supported by an identity provider, users cannot access the
service provider using single sign-on from the identity provider.
Property
Description