Skip to main content
Skyhigh Security

Configure Skyhigh CASB Login for SAML and SSO

You can now login to Skyhigh CASB using Single Sign-on and provided additional steps to configure your new login workflow.

  1. Configure a new IdP app.
  2. Input your SAML Configuration information in Skyhigh CASB.
  3. Update your IdP application with the new information from Skyhigh CASB. 

NOTE: This new app will not affect your existing Skyhigh CASB SAML configuration in any way. Your existing SAML login continues to work as expected. The configuration you create by using the following steps are saved separately within Skyhigh Security IAM systems. 

Configure a New IdP App 

Configure a new IdP app in your Single Sign-on solution. This gives you the Identity Provider URL, Issuer URL, and the X.509 certificate. 

For now, use placeholder information for the ACS URL and the Audience URI. Those are filled in when you get to Edit Your IdP App SAML Settings

Input your SAML Configuration into Skyhigh CASB

Find the Required IdP Information

You need the following information from your IdP application. We have included basic steps for Okta. 

  1. Log in to Okta. 
  2. Click Admin
  3. Select your Application. 
  4. Go to the Sign On tab. 
  5. Under SAML 2.0, click View Setup Instructions. From here you can get:
    • Identity Provider Single Sign On URL. This is the Login URL required for Skyhigh CASB. 
    • Identity Provider Issuer. This is the Issuer required for Skyhigh CASB.
    • X.509 Certificate. Download this certificate to upload it to Skyhigh CASB. 
  6. Go to the General tab. From here you can get:
    • Signature Algorithm. 
    • SP-Initiated Request Binding.

Configure SAML for Skyhigh CASB Users

By default, the admin user has access to configure SAML in Skyhigh CASB. Contact Skyhigh Security Support if you have any trouble configuring SAML.

Use this tab to enable SSO and configure SAML to allow users to access the Skyhigh CASB user interface without separate login credentials. 

  1. Go to Settings > User Management > SAML Configuration
  2. Select the tab Skyhigh CASB Users
  3. For Identity Provider, enter the following information from your IdP:
    • Issuer. This is the Identity Provider Issuer from your IdP. 
    • Certificate. Download the certificate from your IdP and click Choose File to upload it to Skyhigh CASB. The certificate must be in the PEM (Privacy Enhanced Mail) format. 
    • Login URL. This is the Identity Provider Single Sign On URL from your IdP
    • Signature Algorithm. Make sure this matches your IdP app. 
    • SP-Initiated Request Binding. Make sure this matches your IdP app. 
    • User Exclusions. (Optional). Click Edit Exclusions to exclude users from this site. Added users become hybrid users that can to log in with SSO and the traditional login method.
      NOTE: Add few users with admin access to User Exclusions and make sure that they have access via SSO and non-SSO. Once verified, you can add or remove the users from User Exclusions as required. Any user account used for automation (for Cloud Connector, DLP Integrator, ePO Integrator, or pulling data via API calls) must be in the User Exclusions list. 
  4. Click Save
  5. Skyhigh CASB connects with IAM and provides the following information about the screen:
    • Audience. Edit your IdP application's SAML settings to update the Audience URI
    • Assertion Consumer Service URL. Edit your IdP application's SAML settings to include the Single Sign On URL.
    • Certificate. 
    • SAML Metadata. 
      saml_config_save.png

Configure SAML for End Users

Use this tab to enable SSO and configure SAML for end users if you have enabled End User Input for Policy Incidents. 

  1. Go to Settings > User Management > SAML Configuration
  2. Select the tab End-Users
  3. Single Sign-On. Toggle on to enable SSO. 
  4. For Identity Provider, enter the following information from your IdP:
    • Issuer. This is the Identity Provider Issuer from your IdP. 
    • Certificate. Download the certificate from your IdP and click Choose File to upload it to Skyhigh CASB. The certificate must be in the PEM (Privacy Enhanced Mail) format. 
    • Login URL. This is the Identity Provider Single Sign On URL from your IdP
    • Signature Algorithm. Make sure this matches your IdP app. 
    • SP-Initiated Request Binding. Make sure this matches your IdP app. 
    • User Exclusions. (Optional). Click Edit Exclusions to exclude users from this site. 
  5. Click Save
  6. Skyhigh CASB connects with IAM and provides the following information about the screen:
    • Audience. Edit your IdP application's SAML settings to update the Audience URI
    • Assertion Consumer Service URL. Edit your IdP application's SAML settings to include the Single Sign On URL.
    • Certificate. 
    • SAML Metadata. 
      saml_config_save.png

Edit Your IdP App SAML Settings

Once you have connected Skyhigh CASB to IAM, go back to Okta and edit your IdP App's SAML settings with the following new information from Skyhigh CASB:

  1. Audience URI. Edit your IdP application's SAML settings to update this with the Audience link from Skyhigh CASB. 
  2. Single Sign On URL. Edit your IdP application's SAML settings to include the Assertion Consumer Service URL from Skyhigh CASB.
  3. Default RelayState. Set this value to https://auth.ui.mcafee.com
  4. Configure the app to send the following user attributes to the IdP provider. (These are recorded in the Skyhigh Security IAM section. Individual users have the option to edit First Name and Last Name at any time after logging into Skyhigh CASB.)
    • First Name
    • Last Name
    • Email.
  5. OPTIONAL: To test your login, click the newly configured app. Log in to the Skyhigh Security IAM and you can see the IAM dashboard. 

Troubleshooting SSO

If the SSO user is not in the Skyhigh CASB login database, you can receive a nondescript 400 error code from the IdP. 

To troubleshoot:

  1. Make sure the user has been assigned to the application in the IdP.
  2. Make sure the user exists in the Skyhigh CASB page Settings > User Management > Users
  3. Make sure the user's first name, last name, and login ID configured in the IdP match what is in Skyhigh CASB. 
  • Was this article helpful?