SSO/SAML and Reverse Proxy
Your organization might already have Single Sign-On (SSO) implemented in your environments or might be planning to implement it. Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and service provider. The single most important requirement that SAML addresses is web browser SSO.
The SAML specification defines three roles:
- Principal (typically a user)
- Identity provider (IdP)
- Service provider (SP)
In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider. Based on this assertion, the service provider can make an access control decision – in other words it can decide whether to perform some service for the connected principal.
When a reverse proxy is present between IdP and SP, the Proxy URL becomes the SP URL, which requires rewriting the SP URL before sending it to the service provider. As a SAML assertion is modified, it requires repacking by resigning. IdP Initiated SSO and SP Initiated SSO scenarios both require changes.
For information about configuring SSO for Skyhigh CASB, see Configure Skyhigh CASB Login for SSO.