Skip to main content
McAfee Enterprise MVISION Cloud

SAML Authentication Alone or with Location

You can configure SAML authentication alone or add a SAML configuration to a location that has IP range, IPsec, or GRE mapping configured. Skyhigh Web Security Gateway Service uses SAML to authenticate requests received from the IP address ranges or through the IPsec or GRE tunnel configured for the location.

WSGS supports multiple named SAML configurations with or without the location information provided by IP range, IPsec, or GRE mapping.

SAML alone versus SAML with location information

There are some differences between SAML authentication alone and SAML combined with IP range, IPsec, or GRE mapping.

Difference SAML alone SAML with location information
Location information No location information is provided. Location information is provided by IP range, IPsec, or GRE mapping.
Proxy port Web requests are sent to dedicated SAML port 8084. Web requests are sent to HTTP/HTTPS ports 80 and 443.
Logon requirement Users are prompted to log on using an email address. No logon is needed.

SAML authentication steps

SAML authentication alone and SAML with IP range, IPsec, or GRE mapping share most authentication steps. Only the initial steps are different.

SAML alone SAML with location information
  1. WSGS receives a web request on port 8084.
  2. WSGS prompts the user for an email address and uses the domain to identify the customer.
  1. WSGS receives a web request on port 80 or 8080.
  2. WSGS identifies the customer based on the configured IP ranges or IPsec or GRE source.

Shared SAML authentication steps

  1. WSGS looks up the customer's identity provider service.
  2. WSGS sends a SAML request to the identity provider.
  3. The identity provider authenticates the user and sends the user name and group information in a SAML response to WSGS.
  4. WSGS applies the customer's web policy to the user's web request.
 

 

  • Was this article helpful?