Cisco Cisco Web Security Appliance S390 ユーザーガイド

Metadata for 
Service 
Provider 

Configure the metadata that describes the service provider referenced in this policy. You 
can either describe the service provider properties manually or upload a metadata file 
provided by the SaaS application. 

The Web Security appliance uses the metadata to determine how to communicate with 
the SaaS application (service provider) using SAML. Contact the SaaS application to 
learn the correct settings to configure the metadata. 

When you manually configure the metadata information, configure the following values: 

•

Service Provider Entity ID. Enter the text (typically in URI format) the SaaS 

application uses to identify itself as a service provider. 

•

Name ID Format. Choose from the drop-down list the format the appliance should use 

to identify users in the SAML assertion it sends to service providers. The value you enter 
here must match the corresponding setting configured on the SaaS application. 

•

Assertion Consumer Service Location. Enter the URL to where the Web Security 

appliance should send the SAML assertion it creates. Read the SaaS application 
documentation to determine that correct URL to use (also known as the login URL). 

The metadata file is an XML document following the SAML standard that 
describes a service provider instance. Not all SaaS applications use metadata 
files, but for those that do, contact the SaaS application provider for the file. 

Authentication Choose the authentication realm or authentication sequence the Web Proxy should use 

to authenticate users accessing this SaaS application. Users must be a member of the 
authentication realm or authentication sequence to successfully access the SaaS 
application. 

In the SaaS SSO Authentication Prompt section, choose how to sign users into the SaaS 
application:

Always prompt users for their local authentication credentials.

Prompt users for their local authentication credentials if the Web Proxy obtained 
their user names using transparent user identification.

Automatically sign in users to the SaaS application using their local 
authentication credentials.

SAML User 
Name Mapping 

Specify how the Web Proxy should represent user names to the service provider in the 
SAML assertion. You can pass the user names as they are used inside your network (no 
mapping), or you can change the internal user names into a different format using one of 
the following methods: 

•

LDAP query. The user names sent to the service provider are based on one or more 

LDAP query attributes. Enter an expression containing LDAP attribute fields and optional 
custom text. You must enclose attribute names in angled brackets. You can include any 
number of attributes. For example, for the LDAP attributes “user” and “domain,” you 
could enter 

<user>@<domain>.com

. 

•

Fixed Rule mapping. The user names sent to the service provider are based on the 

internal user name with a fixed string added before or after the internal user name. Enter 
the fixed string and %s for the internal user name.