SAML Authentication Alone or with Location

Last updated
Save as PDF

You can configure SAML authentication alone or add a SAML configuration to a location that has IP range, IPsec, or GRE mapping configured. Skyhigh Web Security Gateway Service uses SAML to authenticate requests received from the IP address ranges or through the IPsec or GRE tunnel configured for the location.

WGCS supports multiple named SAML configurations with or without the location information provided by IP range, IPsec, or GRE mapping.

SAML alone versus SAML with location information

There are some differences between SAML authentication alone and SAML combined with IP range, IPsec, or GRE mapping.

Difference	SAML alone	SAML with location information
Location information	No location information is provided.	Location information is provided by IP range, IPsec, or GRE mapping.
Proxy port	Web requests are sent to dedicated SAML port 8084.	Web requests are sent to HTTP/HTTPS ports 80 and 443.
Logon requirement	Users are prompted to log on using an email address.	No logon is needed.

SAML authentication steps

SAML authentication alone and SAML with IP range, IPsec, or GRE mapping share most authentication steps. Only the initial steps are different.

SAML alone	SAML with location information
WGCS receives a web request on port 8084. WGCS prompts the user for an email address and uses the domain to identify the customer.	WGCS receives a web request on port 80 or 8080. WGCS identifies the customer based on the configured IP ranges or IPsec or GRE source.
Shared SAML authentication steps WGCS looks up the customer's identity provider service. WGCS sends a SAML request to the identity provider. The identity provider authenticates the user and sends the user name and group information in a SAML response to WGCS. WGCS applies the customer's web policy to the user's web request.

SAML alone

SAML with location information

WGCS receives a web request on port 8084.
WGCS prompts the user for an email address and uses the domain to identify the customer.

WGCS receives a web request on port 80 or 8080.
WGCS identifies the customer based on the configured IP ranges or IPsec or GRE source.

Shared SAML authentication steps

WGCS looks up the customer's identity provider service.
WGCS sends a SAML request to the identity provider.
The identity provider authenticates the user and sends the user name and group information in a SAML response to WGCS.
WGCS applies the customer's web policy to the user's web request.