Configure Skyhigh CASB Login for SAML and SSO
You can now login to Skyhigh CASB using Single Sign-on and provided additional steps to configure your new login workflow.
- Configure a new IdP app.
- Input your SAML Configuration information in Skyhigh CASB.
- Update your IdP application with the new information from Skyhigh CASB.
NOTE: This new app will not affect your existing Skyhigh CASB SAML configuration in any way. Your existing SAML login continues to work as expected. The configuration you create by using the following steps are saved separately within Skyhigh Security IAM systems.
Configure a New IdP App
Configure a new IdP app in your Single Sign-on solution. This gives you the Identity Provider URL, Issuer URL, and the X.509 certificate.
For now, use placeholder information for the ACS URL and the Audience URI. Those are filled in when you get to Edit Your IdP App SAML Settings.
Input your SAML Configuration into Skyhigh CASB
Find the Required IdP Information
You need the following information from your IdP application. We have included basic steps for Okta.
- Log in to Okta.
- Click Admin.
- Select your Application.
- Go to the Sign On tab.
- Under SAML 2.0, click View Setup Instructions. From here you can get:
- Identity Provider Single Sign On URL. This is the Login URL required for Skyhigh CASB.
- Identity Provider Issuer. This is the Issuer required for Skyhigh CASB.
- X.509 Certificate. Download this certificate to upload it to Skyhigh CASB.
- Go to the General tab. From here you can get:
- Signature Algorithm.
- SP-Initiated Request Binding.
Configure SAML for Skyhigh Cloud Users
By default, the admin user has access to configure SAML in Skyhigh CASB. Contact Skyhigh Security Support if you have any trouble configuring SAML.
Use this tab to enable SSO and configure SAML to allow Skyhigh Security Cloud users to access the Skyhigh CASB user interface without separate login credentials.
- Go to Settings > User Management > SAML Configuration.
- Select the tab Skyhigh CASB Users.
- For Identity Provider, enter the following information from your IdP:
- Issuer. This is the Identity Provider Issuer from your IdP.
- Certificate. Download the certificate from your IdP and click Choose File to upload it to Skyhigh CASB. The certificate must be in the PEM (Privacy Enhanced Mail) format.
- Login URL. This is the Identity Provider Single Sign On URL from your IdP.
- Signature Algorithm. Make sure this matches your IdP app.
- SP-Initiated Request Binding. Make sure this matches your IdP app.
- User Exclusions. (Optional). Click Edit Exclusions to exclude users from this site. Added users become hybrid users that can to log in with SSO and the traditional login method.
NOTE: Add few users with admin access to User Exclusions and make sure that they have access via SSO and non-SSO. Once verified, you can add or remove the users from User Exclusions as required. Any user account used for automation (for Cloud Connector, DLP Integrator, ePO Integrator, or pulling data via API calls) must be in the User Exclusions list.
- Click Save.
- Skyhigh CASB connects with IAM and provides the following information about the screen:
- Audience. Edit your IdP application's SAML settings to update the Audience URL.
- Assertion Consumer Service URL. Edit your IdP application's SAML settings to include the Single Sign On URL.
- Certificate.
- SAML Metadata.
Configure SAML for End Users
Use this tab to enable SSO and configure SAML for end users if you have enabled End User Input for Policy Incidents.
- Go to Settings > User Management > SAML Configuration.
- Select the tab End-Users.
- Single Sign-On. Toggle on to enable SSO.
- For Identity Provider, enter the following information from your IdP:
- Identity Provider Issuer. This is the Identity Provider Issuer from your IdP.
- Identity Provider Certificate. Download the certificate from your IdP and click Choose File to upload it to Skyhigh CASB. The certificate must be in the PEM (Privacy Enhanced Mail) format.
- Identity Provider Login URL. This is the Identity Provider Single Sign On URL from your IdP.
- Signature Algorithm. Make sure this matches your IdP app.
- SP-Initiated Request Binding. Make sure this matches your IdP app.
- Click Save.
- Skyhigh CASB connects with IAM.
- Under Configuring Your Identity Provider, use the following information to configure your IdP App's SAML settings:
- Audience URL. Edit your IdP application's SAML settings to update the Audience URL.
- Entity ID. Edit your IdP application's SAML settings to include the Single Sign On URL.
Edit Your IdP App SAML Settings
Once you have connected Skyhigh CASB to IAM, go back to Okta and edit your IdP App's SAML settings with the following new information from Skyhigh CASB:
- Audience URL. Edit your IdP application's SAML settings to update this with the Audience link from Skyhigh CASB.
- Single Sign On URL. Edit your IdP application's SAML settings to include the Assertion Consumer Service URL from Skyhigh CASB.
- Default RelayState. Set this value to https://auth.ui.trellix.com/.
- Configure the app to send the following user attributes to the IdP provider. (These are recorded in the Skyhigh Security IAM section. Individual users have the option to edit First Name and Last Name at any time after logging into Skyhigh CASB.)
- First Name
- Last Name
- Email.
- OPTIONAL: To test your login, click the newly configured app. Log in to the Skyhigh Security IAM and you can see the IAM dashboard.
Troubleshooting SSO
If the SSO user is not in the Skyhigh Security Cloud login database, you can receive a nondescript 400 error code from the IdP.
To troubleshoot:
- Make sure the user has been assigned to the application in the IdP.
- Make sure the user exists in the Skyhigh CASB page Settings > User Management > Users.
- Make sure the user's first name, last name, and login ID configured in the IdP match what is in Skyhigh CASB.