Use your own Identity Provider and share authentication and identity information with Skyhigh Web Security Gateway Service (WSGS) in the form of SAML assertions.
To configure SAML authentication, you need the following information:
- Service provider's entity ID
- Identity Provider's entity ID
- URL of your Identity Provider
- Name of attribute that uniquely identifies users
- Name of attribute that lists group memberships
- Certificate to verify signed SAML responses and assertions
- Names of one or more domains that identify your organization
For SAML authentication to succeed, make sure that the values you configure for the following SAML settings exactly match in Skyhigh CASB and in your Identity Provider service.
- Service Provider's Entity ID
- Identity Provider's Entity ID
- User ID attribute in SAML response
- Group ID attribute in SAML response
SAML authentication is mandatory for accessing Private Applications. Once user has authenticated, the user need not re-authenticate for 12 hours.
- On the Skyhigh CASB navigation bar, click the settings icon.
- From the drop-down list, select Infrastructure | Web Gateway Setup.
- Click New SAML.
- Provide a name for the SAML configuration, then provide values for these SAML settings:
- Service Provider's Entity ID — Unique identifier assigned to Skyhigh WSGS by your organization. The Identity Provider uses this value to identify SAML requests sent by WSGS.
- URL of SAML Identity Provider — Specifies the URL of the SAML service provided by your Identity Provider. WSGS redirects SAML requests to this URL. Ask your Identity Provider for the URL.
- Identity Provider Must Sign SAML Response — If your Identity Provider signs the SAML response, select this checkbox. When it's selected, WSGS verifies that all SAML responses are signed by the Identity Provider.
- Identity Provider Must Sign SAML Assertion — If your Identity Provider signs the SAML assertion in the SAML response, select this checkbox. When it's selected, WSGS verifies that all SAML assertions are signed by the Identity Provider.
- Identity Provider's Entity ID — Unique identifier assigned to the Identity Provider by your organization. WSGS uses this value to identify SAML responses sent by the Identity Provider.
- User ID attribute in SAML response — Specifies the name of the attribute that uniquely identifies the user. WSGS uses this setting when it extracts the user ID from the SAML assertion.
- Group ID attribute in SAML response — Specifies the name of the attribute whose value is a list of group names. WSGS uses this setting when it extracts group membership information from the SAML assertion. The service uses this information when applying group policies.
- Identity Provider Certificate — Click Upload Certificate, browse for the certificate file provided by your Identity Provider, then click Open. WSGS uses this certificate to verify the signatures of SAML responses and assertions signed by the Identity Provider. The supported certificate file types are: .cer, .crt, and .pem.
- Configure a list of domain names, one per line. WSGS uses these values to identify your organization.
- Click Save.
The named SAML configuration is saved.