Configure SAML and SSO for Skyhigh Cloud Administrators

Skyhigh Security allows you to configure a login workflow that enables Skyhigh Security Cloud administrators to log in to Skyhigh CASB via Single Sign-On (SSO). You can enable SSO and configure Security Assertion Markup Language (SAML) for Skyhigh Security Cloud admins to enhance security and streamline access management.

Use these steps to enable SSO and configure SAML:

► Step 1: Set up SAML in Your IdP App

You must set up SAML in your IdP application to use the IdP App's SAML configuration details such as Issuer URL, Single Sign-On URL, and SAML certificate in Skyhigh CASB. The following example uses Okta as the IdP app for reference.

To set up SAML in your IdP app:

1. Log in to Okta. 
2. In the Okta Admin console, go to Applications > Applications.
3. On the Applications page, click Create App Integration.
4. Select SAML 2.0 as the Sign-in method, and click Next.
5. Under General Settings, configure the following:
   • App Name. Enter the name for your Single Sign-on solution.
   • App logo (Optional). Upload the logo for your Single Sign-on solution.
   • App Visibility. Set the visibility of your application icon to users or in the Okta Mobile application.
6. Click Next.
7. Under Configure SAML, enter any URL as placeholder information for the following:
   • Single sign-on URL. 
   • Audience URI (SP Entity ID).
   • Default RelayState.
     
8. Click Next.
9. Under Feedback, configure the following:
   • Are you a customer or partner?. Select I'm an Okta customer adding an internal app.
   • App type. Activate the checkbox to specify that the Single Sign-On application is internal.
     
10. Click Finish.
11. On the SAML Setup page, under SAML Setup, click View SAML setup instructions. Use the following information to configure SAML in Skyhigh CASB:
    • Identity Provider Single Sign-On URL. This is the Login URL required for Skyhigh CASB. 
    • Identity Provider Issuer. This is the Issuer URL required for Skyhigh CASB.
    • X.509 Certificate. Download this certificate to upload it to Skyhigh CASB.
       

 

► Step 2: Configure SAML in Skyhigh CASB

You can now enable SSO and configure SAML in Skyhigh CASB, which allows Skyhigh Security Cloud admins to access the Skyhigh CASB user interface without separate login credentials. 

NOTE: By default, the Skyhigh Security Cloud admin has access to configure SAML in Skyhigh CASB. Contact Skyhigh Security Support if you have any trouble configuring SAML.

 

To enable SSO and configure SAML in Skyhigh CASB:

1. Log in to Skyhigh CASB with your tenant.
2. Go to Settings > User Management > SAML Configuration. 
3. Select the tab Skyhigh Security Cloud Users.
    
4. For Identity Provider, enter the following information from your IdP:
   • Issuer. This is the Identity Provider Issuer from your IdP. 
   • Certificate. Click Choose File to upload the SAML certificate downloaded from your IdP. The certificate must be in the PEM (Privacy Enhanced Mail) format. 
   • Login URL. This is the Identity Provider Single-Sign On URL from your IdP. 
   • Signature Algorithm. Make sure this matches your IdP app. 
   • SP-Initiated Request Binding. Make sure this matches your IdP app. 
   • User Exclusions. (Optional). Click Edit Exclusions to exclude users from this site. Added users become hybrid users that can log in with SSO, and the traditional login method.

NOTE: Add few users with admin access to User Exclusions and make sure that they have access via SSO and non-SSO. Once verified, you can add or remove the users from User Exclusions as required. Any user account used for automation (for Cloud Connector, DLP Integrator, Secure Web Gateway (On-Prem) hybrid settings, or pulling data via API calls) must be in the User Exclusions list. 

 

5. Click Save. 
6. Skyhigh CASB connects with IAM and provides the following information. Use this information to configure your IdP application's SAML settings. 
   • Audience. This is the Audience URL required for your IdP application.
   • Assertion Consumer Service URL. This is the Single Sign-On URL required for your IdP application.
   • Certificate. Download this certificate to upload it to your IdP application. 
   • SAML Metadata. 
     

 

► Step 3: Configure Your IdP App SAML Settings

Once you have connected Skyhigh CASB to IAM, you must return to Okta and update your IdP App's SAML settings with the SAML configuration details received from Skyhigh CASB.

To configure your IdP app SAML settings:

1. In the Okta admin console, go to Applications > Applications.
2. Select the General tab for your newly created IdP application.
3. For SAML Settings, click Edit.
4. Click Next.
5. On the Edit SAML Integration page, under SAML Settings, configure the following:
   • Single Sign-On URL. Enter the Assertion Consumer Service URL from Skyhigh CASB.
   • Audience URI. Enter the Audience URL from Skyhigh CASB. 
   • Default RelayState. Set this value to https://auth.ui.trellix.com/. 
     
6. Click Next, and click Finish.
7. Select the Assignments tab to enable SSO for selected users.
8. Go to Assign > Assign to People.
   
9. Select Assign corresponding to the user, and click Done.

NOTES 

• To enable SSO for new users, create a new user in Okta with the same email address and password as the Skyhigh CASB user.
• SCIM (System for Cross-domain Identity Management), and automatic user creation are not supported.

 

10. Click Save and Go Back.
11. Click Done.
12. Configure the app to send the following user attributes to the IdP provider. (These are recorded in the Skyhigh Security IAM section. Individual users have the option to edit First Name and Last Name at any time after logging into Skyhigh CASB.)
    • First Name
    • Last Name
    • Email.