Cisco Cisco Web Security Appliance S190 Guía Del Usuario
Chapter 14 Controlling Access to SaaS Applications
Understanding How SaaS Access Control Works
14-4
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Authenticating SaaS Users
When users access a SaaS application, you can allow them to transparently sign
into the SaaS application using their local authentication credentials or always
prompt them for their local authentication credentials.
into the SaaS application using their local authentication credentials or always
prompt them for their local authentication credentials.
When users are prompted to authenticate, the authentication credentials are sent
to the Web Proxy using a secure HTTPS connection. The appliance uses its own
certificate and private key to create an HTTPS connection with the client by
default. Most browsers will warn users that the certificate is not valid. To prevent
users from seeing the invalid certificate message, you can upload a certificate and
key pair your organization uses. For information about uploading a certificate and
key, see
to the Web Proxy using a secure HTTPS connection. The appliance uses its own
certificate and private key to create an HTTPS connection with the client by
default. Most browsers will warn users that the certificate is not valid. To prevent
users from seeing the invalid certificate message, you can upload a certificate and
key pair your organization uses. For information about uploading a certificate and
key, see
.
Note
To achieve single sign-on behavior using explicit forward requests for all
authenticated users when the appliance is deployed in transparent mode, you must
select the “Apply same surrogate settings to explicit forward requests” setting
when you configure the Identity group.
authenticated users when the appliance is deployed in transparent mode, you must
select the “Apply same surrogate settings to explicit forward requests” setting
when you configure the Identity group.
Authentication Requirements
Some service providers require a particular authentication mechanism to allow
users to access the SaaS application. If a service provider requires an
authentication context that is not supported by an identity provider, users cannot
access the service provider using single sign-on from the identity provider.
users to access the SaaS application. If a service provider requires an
authentication context that is not supported by an identity provider, users cannot
access the service provider using single sign-on from the identity provider.
Therefore, SaaS Access Control only works with SaaS applications that require
an authentication mechanism supported by the Web Security appliance. Currently,
the Web Proxy uses the “PasswordProtectedTransport” authentication
mechanism. You configure this value when you create a SaaS Application
Authentication Policy using the Authentication Context setting. However,
administrators typically choose “Automatic” as the Authentication Context
setting.
an authentication mechanism supported by the Web Security appliance. Currently,
the Web Proxy uses the “PasswordProtectedTransport” authentication
mechanism. You configure this value when you create a SaaS Application
Authentication Policy using the Authentication Context setting. However,
administrators typically choose “Automatic” as the Authentication Context
setting.
For more information on creating SaaS Application Authentication Policies, see
.