home

Security Service Edge

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Security Service Edge

Accessing Cloud Applications Through Secure Cloud Workspace

Configure Platform Single Sign-on

  1. Select Administration > System Settings.
  2. From the menu, select Enterprise Authentication.
  3. Under Continuous Authentication Configuration:
    • Click the toggle to enable continuous authentication.
    • Select an Identity Provider from the prompt.
    • Enter a Session Validity Duration to specify the number of minutes for which a session will remain valid.
  4. Under Enterprise Single Sign-On Settings, enter or select the following information:
    • Identity Provider —Select an identity provider from the prompt.
    • Management Console — If enabled, both administrators and non-administrator users can sign in to the Management Console with IdP. This setting must be enabled for non-administrator users to be able to log in with IdP.
    • Relay State — You need this value when you configure SP and IdP settings to point to the Secure Cloud Access IdP proxy.
    • Decryption Client — If enabled, allows decryption clients to decrypt files when the DRM protection model is chosen for a cloud application. Users must authenticate against the provisioned IdP to access files protected with Secure Cloud Access.
  5. Under Enterprise Proxy Authentication, enter or select proxy authentication values:

    • Lookout Proxy Authentication — Enabled by default. Users must log in through the proxy before logging in directly to a cloud application. You cannot disable authentication..

    • Proxy Authentication Method - Choose a method from the prompt, ither Enterprise Single Sign-on or Proxy Header Authentication.

      If you selected Proxy Header Authentication, two additional fields appear.

      • Authentication Header Name

      • Tenant Header Name

      Enter the appropriate user and tenant information.

      Device Trust settings are not honored for non-SSO sign-ins when Proxy Header Authentication is the selected method.

    • Use Automatic User Agent Whitelisting — Click the toggle to enable Secure Cloud Access to automatically detect the user agent type that performs the HTTP request (for example, browser, email client, or crawler). For certain user agents that might not be able to participate in the Proxy Authentication protocol, the HTTP request can proceed without proxy authentication.

    • Whitelisted User Agent Patterns — User agent patterns you include as allowed are included in one of two lists: Default User Agent Allow List and Tenant Allowed User Agent List.

    • When the user agent in the request matches any of the items, the HTTP request can proceed without proxy authentication.

      IMPORTANT You must add the following user agents as part of one or more category lists.

      For this functionAdd these user agent patterns
      Google account sign-ins through the macOS and Windows Mail clients are successful via Secure Cloud Access forward proxy mode 
      .*Mail.*?Darwin Accountsd.*?Darwin CFNetwork.*?Darwin
.*accountsd
.*AddressBookCore.* microsoft.windowscommunicationsapps
      Enable Slack thick apps to be visible through the forward proxy 
      .*Slack.*Electron.?
      Google Chrome Bookmark Sync works for users in Windows and macOS clients 
      Chrome\sWIN.* Chrome\sMAC.*

      Set up policies based on zero trust principles to secure access and data in GitHub.

      Secure Cloud Access detects corporate vs. personal accounts and prevent leakage of sensitive information.

      Add these user agents to avoid proxy authentication of GitHub desktop traffic.

      		 
      .*GitHubDesktop.*
.*Atom.*
.*git\/[.0-9]+.*
      Support the ability to bypass traffic from the Figma desktop app. 
      .*Figma.*
      Support Office 365 thick app functions through the forward proxy. 
      Teams/.*
.*SkyDriveSync.*
.*Office.*
.*Word.*
.*Excel.*
.*OneDrive.*
.*OneAuth.*
.*OneNote.*
.*PowerPoint.*
.*Outlook.*
.*Trident.*
.*Mail.*?Darwin

      Whitelist URLs - Enter one or more URLs allow. Proxy authentication will be bypassed for these URLs.

      You need to allow these URLs to enable access to the proxy when using GSuite as an IdP with an SWG PAC file. You can access the proxy when these URLs are allowed in a MacBook desktop device.

    • https://accounts.google.com/o/saml2/idp
    • https://accounts.google.com/ServiceLogin
    • https://play.google.com/log
    • https://accounts.google.com/_/lookup/accountlookup
    • https://accounts.google.com/_/signin/challenge
    • https://accounts.google.com/InteractiveLogin
    • https://ssl.gstatic.com/accounts/static/_/js
  6. Click Save.

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.