Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure SAML in Skyhigh SSE

Use your own Identity Provider (IDP) and share authentication and identity information with Skyhigh Secure Web Gateway (SWG) in the form of SAML assertions.

Prerequisites

To configure SAML authentication, you need the following information:

  • Service provider's entity ID
  • Identity Provider's entity ID
  • URL of your Identity Provider
  • Name of the attribute that uniquely identifies users
  • Name of the attribute that lists group memberships
  • Certificate to verify signed SAML responses and assertions
  • Names of one or more domains that identify your organization

Match SAML Settings to your IDP

For SAML authentication to succeed, make sure that the values you configure for the following SAML settings exactly match in Skyhigh CASB and in your Identity Provider service.

  • Service Provider's Entity ID
  • Identity Provider's Entity ID
  • User ID attribute in SAML response
  • Group ID attribute in SAML response

Configure SAML 

SAML authentication is mandatory for accessing Private Applications. Once you have authenticated, you will not need to re-authenticate for 12 hours.

To configure SAML in Skyhigh CASB:

  1. In Skyhigh CASB navigation bar, go to Settings > Infrastructure > Web Gateway Setup.
  2. Click New SAML.
    setup_saml.png
  3. Enter a unique SAML Configuration Name, then provide values for these SAML settings:

 clipboard_e1dfa94755460068c242bc971287e91c6.png

  • Service Provider Entity ID. The unique identifier assigned to SWG by your organization. The IDP uses this value to identify SAML requests sent by SWG.
  • SAML Identity Provider URL. Specifies the URL of the SAML service provided by your IDP. SWG redirects SAML requests to this URL. Ask your IDP for the URL.
  • Identity Provider Must Sign SAML Response. If your IDP signs the SAML response, select this checkbox. When it's selected, SWG verifies that all SAML responses are signed by the IDP.
  • Identity Provider Must Sign SAML Assertion. If your Identity Provider signs the SAML assertion in the SAML response, select this checkbox. When it's selected, SWG verifies that all SAML assertions are signed by the IDP.
  • Identity Provider Entity ID. The unique identifier assigned to the IDP by your organization. SWG uses this value to identify SAML responses sent by the IDP.
  • User ID attribute in SAML response. Specifies the name of the attribute that uniquely identifies the user. SWG uses this setting when it extracts the user ID from the SAML assertion.

    Note: Make sure to specify the attribute name in the URL format (for example, clipboard_ed424afc3783b9bde5336e3110481ac15.png if you have configured the SAML attribute on the SAML application.  
  • Group ID attribute in SAML response. Specifies the name of the attribute whose value is a list of group names. SWG uses this setting when it extracts group membership information from the SAML assertion. The service uses this information when applying group policies.
  • Identity Provider Certificate. Click Upload Certificate, browse for the certificate file provided by your IDP, then click Open.
    SWG uses this certificate to verify the signatures of SAML responses and assertions signed by the IDP. The supported certificate file types are: .cer, .crt, and .pem.
  1. Configure a list of domain names, one per line. SWG uses these values to identify your organization.
  2. Click Save.

The named SAML configuration is saved.

 

Example of SAML configuration which uses google as IDP: 

clipboard_ecf793004518a1aaf053c5cbd2fc6efd5.png

clipboard_e786fe985db9fb3c9e00d5360fedb8144.png

Example of SAML configuration using AWS as IDP: 
  1. Login to AWS account as an Administrator
  2. Navigate to IAM Identity Center
  3. Add user and make sure you add email and note down the email domain

clipboard_ec7f15a08b23f2df8ddec2de8fce2acc6.png

clipboard_e9a09e18afd846614cf6ddfb6c5167803.png

  1.  Go to Applications > Customer managed and add application

clipboard_e3471085f9b64d3ec8a5c60f8e48c6613.png

  1.  Add details and download the metadata. 

clipboard_eddc4a7cfc9e7d7a58f21362ba1ded261.png

  1. Assign the created app to the user. 

clipboard_e881d629dcfb5a7f68ecd893f2ba60522.png

  1. Once the user is assigned with the application, this is displayed on the users page. 

clipboard_e36b90f02566e978d73814ea2480e2f9c.png

  1.  Edit the application attribute list and add the attributes shown below

clipboard_e20657298f0e36b42ff148a8bdce18e8d.png

clipboard_e80bb3ea7133d629195bec1a6722c9b67.png

  1. IDP configuration is now completed.  
  2. Login to Skyhigh Security UCE tenant and configure SAML.
  3. Go to Infrastructure > Webgateway setup > Setup SAML > New SAML
  4. Upload the downloaded metadata file which contains AWS IDP certificate.

clipboard_ea1528fb5fa27fd6cb2aec2fbb967597a.png

  1. Add the domain which is same as the user domain added in AWS IDP.
  2. SAML configuration is now completed. 
  3. Refer to mindtouch documentation to create Private application. 
  4. While accessing Private application from the client machine you will be prompted to enter an email. Use the same email use in the saml configuration, redirected to AWS IDP to authenticate the user. After successful authentication it redirect's back to private application page. 

clipboard_e40259f158b907f91020363c22b2ca34d.png

  • Was this article helpful?