Configure SAML Authentication as Part of Your Web Policy
When Skyhigh Security Service Edge is initially set up, SAML authentication can already be configured as required for users who request web access. You can configure more settings for this authentication as part of your web policy.
During the initial setup, you can, for example, specify the identity service that authentication information is retrieved from. You can create different types or instances of SAML authentication with different services and use them, for example, for web traffic originating from different domains. Any of these instances is also referred to as a SAML configuration.
When you configure more settings for a SAML configuration as part of your web policy, you can, for example, specify when SAML authentication is not required for users. You work with the rules of the SAML Authentication rule set then, which you add to the policy tree.
- On the user interface, select Policy > Web Policy > Policy.
- On the policy tree, expand SAML Authentication, then select SAML Authentication.
- Under SAML Configuration on the right, see the SAML configuration that has been chosen. You can continue with configuring settings for this configuration or choose a different one.
If no configuration is available for choosing, click Web Gateway Setup. Under Setup SAML on the page that appears, click New SAML and create a new configuration.
Then return to the SAML Authentication page, choose the new configuration, and continue with configuring settings.
- Under These rules apply to all traffic, leave the default scope, which applies the rules in this rule set to all web traffic, or click Edit and select criteria to limit this scope. You can limit the scope, for example, depending on location or client IP addresses.
Enable or disable the rules that are displayed here as needed to specify when not to apply SAML authentication.
To enable a rule, select the type of web objects, for example, Destination IP addresses, that the rule is about.
For each rule that is enabled, click ... in the same line and fill entries in one of the lists that are available. You can fill entries for:
- Domains (Smart Match)
Domain names are specified here in the Smart Match mode.
- Domains (Regex)
Domain names are specified here using Regex terms.
- Destination IP addresses
- URL categories
SAML authentication is skipped if any of the web objects in these lists is involved. For example, when a user requests access to a domain that is in a list, access is granted without requiring SAML authentication for this user.
- Domains (Smart Match)
- Select Skip if user is already authenticated by MCP or MCS if you want to skip SAML authentication when a user has already been authenticated otherwise.
There are two other authentication methods that can be used here to authenticate a user. They are provided by Client Proxy, also shortly referred to as Client Proxy, and Mobile Cloud Security, which is a cloud security product that uses Mobile IPsec.
- When the SAML Authentication Preference feature is shown on the right as in use, you can view its configuration, which you can also replace with a different configuration.
Click the name of the current configuration to view it. Or click Change Configuration to replace the current configuration with another one.
You have now configured more settings for an instance or type of SAML authentication, also known as a SAML configuration, as part of your web policy.