Cisco Cisco Web Security Appliance S170 Guia Do Utilizador
7-6
AsyncOS 8.8 for Cisco Web Security Appliances User Guide
Chapter 7 SaaS Access Control
Configuring End-user Access to the Single Sign-on URL
Step 4
Submit and Commit Changes.
Next Steps
•
Set up the single sign-on settings on the SaaS application side, using the same parameters to
configure the application.
configure the application.
Configuring End-user Access to the Single Sign-on URL
After you configure the Web Security appliance as an identity provider and create a SaaS Application
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
The Web Security appliance uses the application name configured in the SaaS Application Authentication
Policy to generate the single sign-on URL; the SSO URL format is:
Authentication Policy for the SaaS application, the appliance creates a single sign-on URL (SSO URL).
The Web Security appliance uses the application name configured in the SaaS Application Authentication
Policy to generate the single sign-on URL; the SSO URL format is:
http://IdentityProviderDomainName/SSOURL/ApplicationName
Step 1
Obtain the single sign-on URL from the Web Security Manager > SaaS Policies page.
Step 2
Make the URL available to end-users depending on which flow type.
SAML User
Name Mapping
Name Mapping
Specify how the Web Proxy should represent user names to the service provider
in the SAML assertion. You can pass the user names as they are used inside your
network (No mapping), or you can change the internal user names into a
different format using one of the following methods:
in the SAML assertion. You can pass the user names as they are used inside your
network (No mapping), or you can change the internal user names into a
different format using one of the following methods:
•
LDAP query. The user names sent to the service provider are based on
one or more LDAP query attributes. Enter an expression containing
LDAP attribute fields and optional custom text. You must enclose
attribute names in angled brackets. You can include any number of
attributes. For example, for the LDAP attributes “user” and “domain,”
you could enter
one or more LDAP query attributes. Enter an expression containing
LDAP attribute fields and optional custom text. You must enclose
attribute names in angled brackets. You can include any number of
attributes. For example, for the LDAP attributes “user” and “domain,”
you could enter
<user>@<domain>.com
.
•
Fixed Rule mapping. The user names sent to the service provider are
based on the internal user name with a fixed string added before or after
the internal user name. Enter the fixed string in the Expression Name
field, with
based on the internal user name with a fixed string added before or after
the internal user name. Enter the fixed string in the Expression Name
field, with
%s
either before or after the string to indicate its position in
the internal user name.
SAML Attribute
Mapping
Mapping
(Optional) You can provide to the SaaS application additional information
about the internal users from the LDAP authentication server if required by
the SaaS application. Map each LDAP server attribute to a SAML attribute.
about the internal users from the LDAP authentication server if required by
the SaaS application. Map each LDAP server attribute to a SAML attribute.
Authentication Context
Choose the authentication mechanism the Web Proxy uses to authenticate its
internal users.
internal users.
Note
The authentication context informs the service provider which
authentication mechanism the identity provider used to authenticate
the internal users. Some service providers require a particular
authentication mechanism to allow users to access the SaaS
application. If a service provider requires an authentication context
that is not supported by an identity provider, users cannot access the
service provider using single sign-on from the identity provider.
authentication mechanism the identity provider used to authenticate
the internal users. Some service providers require a particular
authentication mechanism to allow users to access the SaaS
application. If a service provider requires an authentication context
that is not supported by an identity provider, users cannot access the
service provider using single sign-on from the identity provider.
Property
Description