Skip to main content
Skyhigh Security

Configure SAML Authentication Preference

You can create a new configuration for the SAML Authentication Preference feature with settings that differ from its default settings.

The default settings for this feature are specified in the Default Authentication Preference configuration. They include the use of an authentication method and the time to live (TTL) for cached authentication data.

You can create a new configuration, specify different values for the above settings, and use this configuration with the default SAML Authentication rule set or with any other instance of it.

  1. On the user interface, select Policy > Web Policy > Feature Configuration.
  2. In the Feature Config list, click SAML Authentication Preference to expand it, then select a configuration, for example, Default Authentication Preference.
  3. Click the Actions drop-down list on the right and select Clone and Edit.
    A page for creating a new configuration appears with the settings of the cloned configuration still selected.
  4. In the input field at the top, type a name for the new configuration, for example, Special Authentication Preferences.
    Optionally, click Add under Comments and type a comment on the new configuration in the field that opens.
  5. Specify settings for the new configuration:
    • Authentication preference — Particular authentication method that is to be used when SAML authentication is required
      Select one of the following:
      • IP Surrogate Authentication (strict) — Block a request if the original client IP address is not reported by Client Proxy or Mobile Cloud Security
        When this method is used for SAML authentication, it is required that the IP address of the client that a request for web access was originally submitted from can be verified.

        For this purpose, the IP address must be reported by Client Proxy, also shortly referred to as Client Proxy, or by Mobile Cloud Security, which is a cloud security product that uses Mobile IPsec.

        If the IP address is not reported by either of the two products, SAML authentication fails and the request is blocked.
         
      • IP Surrogate Authentication (relaxed) — Allow every request and try to guess the user name
        The IP surrogate authentication method is used here in a relaxed mode. If no original client IP address can be verified, a request is still allowed to pass through. A guess is then made to provide a user name for this request.
         
      • Cookie Authentication (strict) — Block a request if no cookie can be set
        When this method is used for SAML authentication, the authentication information that is required to allow a request is retrieved using a cookie that was set when a previous request from the same client and user was allowed.

        If no suitable cookie has been set, SAML authentication fails and the request is blocked.
         
      • Cookie Authentication (relaxed) — Allow every request and try to guess the user name
        The cookie authentication method is used here in a relaxed mode. If no suitable cookie has been set, a request is still allowed to pass through. A guess is then made to provide a user name for this request.
         
    • TTL preference — Time to live (in seconds) for cached authentication data
      Type the number of seconds here that you consider appropriate.

      Default: 72000 seconds
       
  6. Click Save.

You have now created a new configuration for the SAML Authentication Preference feature with the name and settings that you specified.

You can use this configuration to replace, for example, the default configuration when you run this feature with the default SAML Authentication rule set.

You can also use it with any other rule set that you create as an instance of this rule set to control the SAML authentication process.

  • Was this article helpful?