At a high level, you configure cloud single-sign by adding predefined and custom cloud connectors to SSO Connector lists. You can then associate users with these lists through Web Gateway policies.
SSO tasks require the Single Sign On rule set, which you import from the Rule Set Library. All SSO tasks can be performed using the default rules, settings, and lists visible in the key elements view of this rule set. To view the rules making up the rule set and create rules, settings, and lists of your own, unlock the key elements view.
NOTE: Configuring single sign-on to some cloud services and applications requires configuration on the Service Provider side. Create an account in the Service Provider interface and complete the configuration steps there.
- Configure a method for authenticating users.
- Import the Single Sign On rule set from the rule sets library and configure the rules.
NOTE: The Single Sign On rule set is located in the Cloud Services rule set group. You can configure the rules in the key elements view or click Unlock View to view configuration details and configure rules of your own.
- Configure the Single Sign On settings for the Single Sign On module, which retrieves values and parameters for SSO properties and events in the Single Sign On rule set. This module comes with default settings named Default. In the SSO rules, properties and events that require these settings reference them using the notation <Default>. You can change the default settings or create new settings.
NOTE: To locate these settings, select Policy | Settings | Engines | Single Sign On | Default.
- For single sign-on to SAML and IceToken cloud services, configure an X.509 certificate and private key pair.
NOTE: To locate these settings, select Policy | Settings | Engines, then select SSO Certificates or SSO Private Keys, respectively.
- Using SSO lists, you can configure custom cloud connectors from templates and lists of connectors to cloud services that users are allowed to access.
- SSO Host to Service ID mapping — (Optional) Lets you map a name that is easy to remember (host name) to the Service ID of a configured custom connector.
NOTE: To locate this list, select Policy | Lists | Custom Lists | MapType.
- SSO Connector — Lets you configure lists of connectors to services that users are allowed to access. You can add connectors to the default lists that come with the SSO service or create and configure lists of your own.
NOTE: To locate the SSO Services lists, select Policy | Lists | Custom Lists | SSO Connector.
- SSO Catalog — Lets you view the predefined connectors and the custom connectors configured from templates. You can configure new connectors from templates, then view them in the Custom connectors list.
NOTE: To locate the catalog, select Policy | Lists | System Lists.
- We recommend that you secure all launchpad communication with the HTTPS protocol. To do so, configure the Launchpad certificate settings used by the SSL Client Context without CA module, which handles certificates for SSL-secured communication.
NOTE: To locate the Launchpad certificate settings: In the key elements view, locate SSL Scanner settings, then click Edit.
- To secure communication between Web Gateway and all cloud services with the HTTPS protocol, configure the SSL Scanner module settings. This step is required for proxy mode.
- To require OTP authentication for SSO access to cloud services, enable OTP authentication, configure the OTP server settings, select an OTP delivery method, and configure the list of connectors to services that require OTP authentication.
NOTE: To locate these settings: In the key elements view, see the OTP Usage (One Time Passwords) section.
- To log SSO requests to the SSO access log instead of the general access log, enable SSO logging. To enable detailed logging for debugging purposes, enable SSO trace logging.
NOTE: To access these settings, select Policy | Rule Sets | Log Handler, then import the SSO Log rule set from the Logging rule set group in the Rule Set Library.
- Save the changes.