Cisco Cisco Web Security Appliance S390 ユーザーガイド
8-5
Cisco AsyncOS for Web User Guide
Chapter 8 SaaS Access Control
Creating SaaS Application Authentication Policies
Metadata for
Service
Provider
Service
Provider
Configure the metadata that describes the service provider referenced in this policy. You
can either describe the service provider properties manually or upload a metadata file
provided by the SaaS application.
can either describe the service provider properties manually or upload a metadata file
provided by the SaaS application.
The Web Security appliance uses the metadata to determine how to communicate with
the SaaS application (service provider) using SAML. Contact the SaaS application to
learn the correct settings to configure the metadata.
the SaaS application (service provider) using SAML. Contact the SaaS application to
learn the correct settings to configure the metadata.
When you manually configure the metadata information, configure the following values:
•
Service Provider Entity ID. Enter the text (typically in URI format) the SaaS
application uses to identify itself as a service provider.
•
Name ID Format. Choose from the drop-down list the format the appliance should use
to identify users in the SAML assertion it sends to service providers. The value you enter
here must match the corresponding setting configured on the SaaS application.
here must match the corresponding setting configured on the SaaS application.
•
Assertion Consumer Service Location. Enter the URL to where the Web Security
appliance should send the SAML assertion it creates. Read the SaaS application
documentation to determine that correct URL to use (also known as the login URL).
documentation to determine that correct URL to use (also known as the login URL).
Note
The metadata file is an XML document following the SAML standard that
describes a service provider instance. Not all SaaS applications use metadata
files, but for those that do, contact the SaaS application provider for the file.
describes a service provider instance. Not all SaaS applications use metadata
files, but for those that do, contact the SaaS application provider for the file.
Authentication Choose the authentication realm or authentication sequence the Web Proxy should use
to authenticate users accessing this SaaS application. Users must be a member of the
authentication realm or authentication sequence to successfully access the SaaS
application.
authentication realm or authentication sequence to successfully access the SaaS
application.
In the SaaS SSO Authentication Prompt section, choose how to sign users into the SaaS
application:
application:
•
Always prompt users for their local authentication credentials.
•
Prompt users for their local authentication credentials if the Web Proxy obtained
their user names using transparent user identification.
their user names using transparent user identification.
•
Automatically sign in users to the SaaS application using their local
authentication credentials.
authentication credentials.
SAML User
Name Mapping
Name Mapping
Specify how the Web Proxy should represent user names to the service provider in the
SAML assertion. You can pass the user names as they are used inside your network (no
mapping), or you can change the internal user names into a different format using one of
the following methods:
SAML assertion. You can pass the user names as they are used inside your network (no
mapping), or you can change the internal user names into a different format using one of
the following methods:
•
LDAP query. The user names sent to the service provider are based on one or more
LDAP query attributes. Enter an expression containing LDAP attribute fields and optional
custom text. You must enclose attribute names in angled brackets. You can include any
number of attributes. For example, for the LDAP attributes “user” and “domain,” you
could enter
custom text. You must enclose attribute names in angled brackets. You can include any
number of attributes. For example, for the LDAP attributes “user” and “domain,” you
could enter
<user>@<domain>.com
.
•
Fixed Rule mapping. The user names sent to the service provider are based on the
internal user name with a fixed string added before or after the internal user name. Enter
the fixed string and %s for the internal user name.
the fixed string and %s for the internal user name.
Property
Description