Skip to main content
Skyhigh Security

Providing SSO services for HTTP cloud applications

Web Gateway supports many cloud services and applications that use HTTP authentication to log on users with predefined cloud connectors or individual cloud connector templates.

A cloud connector is the configuration that allows Web Gateway to connect to and provide identity and SSO services for an application in the cloud. Web Gateway also provides a generic HTTP connector template, which can be configured for any cloud application that uses HTTP, but is not included in the SSO Catalog.

Before configuring a connector to an HTTP application, look up the application in the SSO Catalog. Predefined HTTP connectors come fully configured and only need selecting from the catalog. If the connector you want does not exist in the Predefined connectors or Custom connectors lists, you can create it from a template.

Most templates are partially configured connectors to specific cloud applications. If no template exists for your HTTP application, select the Generic HTTP Connector template. The generic HTTP template lets you configure connectors to HTTP applications that Web Gateway does not support with predefined connectors or connector templates.

Web Gateway supports single sign-on to dynamic HTTP applications that provide logon page information dynamically, such as Dropbox, by adding JavaScript to the logon page. Before the logon page can be changed, the SSO process must be running in proxy mode. In proxy mode, Web Gateway hides the real password from the client computer by replacing it with a token.

NOTE: Single sign-on to HTTP applications that are not dynamic can be implemented in proxy or non-proxy mode.

The SSO credential model for HTTP cloud applications

The SSO credential model for HTTP cloud services and applications supports individual users who have more than one account in a cloud service or application. It also supports shared accounts, where multiple users can access one or more cloud services or applications using the same credentials.

The following credential information is passed to most SSO properties and events:

  • Realm — Specifies the name of the domain in which the current user is authenticated. The authentication domain can be an identity store, such as LDAP or Active Directory, or an authentication service.
  • User ID — Identifies the current user. By default, the User ID has the same value as the Authentication.UserName property. You can change the default value by mapping a different authentication attribute to the User ID.
  • Service ID — Identifies a cloud service or application.
  • Account ID — Identifies an individual or shared account in the cloud service or application.

Individual users are organized under realms or authentication domains. Users in an authentication domain are associated with one or more lists of cloud services or applications that they are allowed to access. For each cloud service or application, each user can have one or more accounts. The accounts can be individual accounts or shared.

Configure an HTTP cloud connector

Configure a connector to an HTTP service or application using a template.

Task

  1. Select Policy | Lists.
  2. In the Lists tree, expand System Lists | SSO Catalog, then click Custom connectors.
  3. Click the Add icon.
    The Add Connector dialog box opens.
  4. Provide values for the fields and settings common to all cloud connectors.
  5. From the Template drop-down list, select the template corresponding to the HTTP service.
  6. In the Application Domain Name field, specify the domain name of your instance of the HTTP service or application.
    Example: If your service URL is https://myorg.cloudapp.com, myorg is the name of your application domain.
  7. Click OK.
    The newly configured HTTP connector is added to the SSO Catalog | Custom connectors list.

Configure a generic HTTP cloud connector

Configure a generic HTTP cloud connector when you want to connect to an HTTP service that Web Gateway does not support with an individual connector.

Task

  1. Select Policy | Lists.
  2. In the Lists tree, expand System Lists | SSO Catalog, then click Custom connectors.
  3. Click the Add icon.
    The Add Connector dialog box opens.
  4. Provide values for the fields and settings common to all connectors.
  5. From the Template drop-down list, select Generic HTTP Connector.
  6. To configure a connector to a dynamic HTTP cloud service, select Dynamic service.
  7. From the drop-down list, select the HTTP method that specifies how the form is sent.
  8. In the https:// field, specify where to send the form in URL format.
  9. For each attribute sent in the form, configure one form field.
  10. For each form field whose source is the credential store, configure one launchpad field.
  11. (Optional) Configure one or more logon pages.

NOTE: Dynamic HTTP cloud services require one logon page. Some cloud services require more than one logon page.

  1. (Optional) Configure the fields on the logon page.

NOTE: You only need configure the logon fields when they are different from the form fields.

  1. To configure another generic HTTP connector, click New Sign On Request.
  2. To save the HTTP connector configuration, click OK.

The newly configured generic HTTP connector is added to the SSO Catalog | Custom connectors list.

  • Was this article helpful?