Update SP and IdP Settings to Point to Secure Cloud Access IdP Proxy
This step is required to enable SSO logins to flow through the Secure Cloud Access IdP proxy.
-
Download the metadata files for the Secure Cloud Access IdP proxy.
Download links for the metadata files are listed for the default group in the SSO Groups page. Click the icon to download the files.
For IdPs providing the same entity Id for all applications, such as Azure, ADFS, SAP IAS, STA, use the following configurations.
- Use the Default SSO Group metadata for Enterprise Authentication, which includes Management SSO, Decryption Client, and Proxy Authentication.
-
Create a new SSO Group per each cloud and use this metadata for configuring the cloud SSO. When the IdP used is ADFS, download the metadata from ADFS.
Import the metadata to the Management Console. Select Administration > Enterprise Integration > Single Sign-On and click the SSO Provider tab. Choose Identity Provider as the Type.
When the IdP used is Azure, perform the following steps to configure the same SAML signing certificate and modify the downloaded metadata for each application.
-
Sign in to the Azure Active Directory portal (
https://aad.portal.azure.com
). - In the left pane, select Enterprise applications. A list of the enterprise applications in your account appears.
- Select the desired application. An overview page for the application appears.
- In the left pane of the application overview page, select Single sign-on.
- If the Select a single sign-on method page appears, select SAML.
- In the Set up Single Sign-On with SAML - Preview page, find the SAML Signing Certificate heading and select the Edit icon. The SAML Signing Certificate page appears, which displays the status (Active or Inactive), expiration date, and thumbprint (a hash string) of each certificate.
- Select Import Certificate. Upload a certificate with a private key and pfx credentials. Enter the PFX Password and select Add.
- Make the newly uploaded certificate active and delete the other certificate(s).
- Click Save.
-
Download the Federation Metadata XML file.
Import the metadata to the Management Console. Select Administration > Enterprise Integration > Single Sign-On and click the SSO Provider tab. Choose Identity Provider as the Type.
- Select the Identity Proxy Routing tab.
- Using the downloaded metadata files, update the SSO setting of your cloud SP so that it points to the Secure Cloud Access IdP proxy instead of to your enterprise IdP.
-
The Secure Cloud Access IdP proxy supports both SP and IdP-initiated SSO flows.
SP-initiated SSO for multiple cloud applications is supported by creating only one entity in your enterprise IdP. However, with a single-entity setup, an IdP-initiated SSO flow will not work. To enable both SP and IdP-initiated SSO flows to work, you must create one entity/cloud service provider in your enterprise IdP. To do so, perform either of the following steps:
- If you need to support only SP-initiated SSO flow, use the metadata you downloaded to create an entity with a generic name (such as Secure Cloud Access IdP Proxy) to represent all cloud service providers in your enterprise that need SSO.
- If you need to support both SP and IdP-initiated SSO flows, perform the following steps for each cloud service provider.
- Using the metadata file you downloaded, create an entity with a name that indicates which cloud service provider this entity is -- for example, Cloud1 CASB IdP Proxy.
-
Go to the SSO provider you had created in the Secure Cloud Access Management Console for that cloud and obtain the Relay State value.
For SSO providers that are saved and being used for proxy routing, the label of the Save button at the bottom is changed to indicate that this provider is currently in use for proxy routing. The button is dimmed.
- In your enterprise IdP, add the Relay State value in the Default Relay State/Relay State field in the setup of the entity for this cloud service provider.
-
Using the metadata file you downloaded, update the SSO setting of your enterprise IdP so that it points to the Secure Cloud Access IdP proxy instead of your cloud SP.
Users can now log in to the enterprise IdP and click the entity corresponding to a cloud service provider to start the IdP-initiated SSO login.