Configure SAML Authentication for Secure Web Gateway
Use your own Identity Provider and share authentication and identity information with Secure Web Gateway in the form of SAML assertions.
The following information is required to configure SAML authentication:
- Service provider's entity ID
- Identity Provider's entity ID
- URL of your Identity Provider
- Name of attribute that uniquely identifies users
- Name of attribute that lists group memberships
- Certificate to verify signed SAML responses and assertions
- Names of one or more domains that identify your organization
For SAML authentication to succeed, the values you configure for SAML settings must exactly match here and at your Identity Provider service.
You can import a metadata file to fill in the data for your Identity Provider on the configuration page. After filling in the data for your Service Provider, you can export it in a metadata file and import it when configuring the Service Provider data for another instance of SAML authentication settings.
Use either of the two options that are provided under Actions to complete this import or export.
To configure SAML authentication, proceed as follows.
- On the user interface, click the settings icon.
- Select Infrastructure > Web Gateway Setup.
- Under Set Up SAML, click New SAML.
- Provide a name for the SAML configuration, then provide values for these SAML settings:
- Service Provider's Entity ID — Unique identifier assigned to Secure Web Gateway by your organization. The Identity Provider uses this value to identify SAML requests sent by WGCS.
- URL of SAML Identity Provider — Specifies the URL of the SAML service provided by your Identity Provider. Secure Web Gateway redirects SAML requests to this URL. Ask your Identity Provider for the URL.
- Identity Provider Must Sign SAML Response — If your Identity Provider signs the SAML response, select this checkbox. When it's selected, WGCS verifies that all SAML responses are signed by the Identity Provider.
- Identity Provider Must Sign SAML Assertion — If your Identity Provider signs the SAML assertion in the SAML response, select this checkbox. When it's selected, Secure Web Gateway verifies that all SAML assertions are signed by the Identity Provider.
- Identity Provider's Entity ID — Unique identifier assigned to the Identity Provider by your organization. Secure Web Gateway uses this value to identify SAML responses sent by the Identity Provider.
- User ID attribute in SAML response — Specifies the name of the attribute that uniquely identifies the user. Secure Web Gateway uses this setting when it extracts the user ID from the SAML assertion.
- Group ID attribute in SAML response — Specifies the name of the attribute whose value is a list of group names. Secure Web Gateway uses this setting when it extracts group membership information from the SAML assertion. The service uses this information when applying group policies.
- Identity Provider Certificate — Click Upload Certificate, browse for the certificate file provided by your Identity Provider, then click Open. Secure Web Gateway uses this certificate to verify the signatures of SAML responses and assertions signed by the Identity Provider. The supported certificate file types are: .cer, .crt,and .pem.
- Configure a list of domain names, one per line. Secure Web Gateway uses these values to identify your organization.
- Click Save.
The named configuration of settings for SAML authentication is saved.
Depending your IDP you may be asked to input the following information:
- ACS URL — Enter https://saml.wgcs.skyhigh.cloud/saml
- Service Provider Binding or Method — Select the POST method
- Audience — https://saml.wgcs.skyhigh.cloud/saml
- Digest Algorithm — SHA256
- Signature Algorithm — RSA-SHA256
You can publish saved changes to the cloud now or keep working and publish later.