You configure and manage single sign-on through the Single Sign On rule set as well as related lists and settings.
The Single Sign On rule set comes with a default configuration that you can use and modify. When you first import and select the rule set, the default configuration opens in the simpler, locked view. You can configure and manage single sign-on using the locked view alone.
To access the more advanced view of the rule set, you unlock the view. If you unlock the view and find that you prefer the simpler, locked view, you cannot undo this action. To go back to the simpler, locked view, you must delete the rule set and import it again.
In the unlocked view of the default configuration, the nested rule sets are arranged and processed in the following order. Unless noted, all rule sets are enabled by default.
- Select Services — Rules in this rule set add services to an internal map that determines whether the current user has access to the requested cloud service. The services are added from default lists that you configure.
- SSO Management — This rule set contains the nested rule sets that manage single sign-on.
- Perform SSO — This rule set contains the rule that processes the logon form.
The SSO Management rule set contains the following nested rule sets. They are arranged and processed in the
- HTTPS Handling — Rules in this rule set secure all launchpad communication using the HTTPS protocol.
- Launchpad — Rules in this rule set generate the application launchpad and logon page using the Single Sign On module settings.
- OTP Authentication — Rules in this rule set enforce OTP authentication as a secondary authentication method.
This rule set is disabled by default.
- Get Login Action — This rule set retrieves information about the connector to the service that the user is requesting. For HTTP services, rule set processing stops. For other services, the rule set checks whether the user has the right to access the requested service.
- Process Common Tasks — This rule set processes common SSO tasks using the Single Sign On module settings.
It also contains the rule that blocks access to SSO resources that do not exist.
The Get Login Action rule set contains the following nested rule sets. They are arranged and processed in the order shown.
- Get Attributes on Premise — Rules in this rule set fetch user information from an external LDAP data source for SAML single sign-on. The rule set only applies when Web Gateway is installed and running on premise.
- Get Attributes in the Cloud — This rule set constructs the data needed for SAML single sign-on from the authenticated user name. It only applies when Web Gateway is installed and running in the cloud.
- Perform SAML SSO — This rule set generates a response that contains the user information needed for completing single sign-on to the requested SAML service.
- Perform IceToken SSO — This rule set generates a response that contains the user information needed for completing single sign-on to the requested service using the custom IceToken Web Gateway provides.