Skyhigh End User Remediation Flow - SAML My Page SSO Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate Skyhigh End User Remediation Flow with RSA Cloud Authentication Service using My Page SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure

  1. Navigate to the RSA Cloud Admin Console > Access > My Page > Single Sign-On (SSO), and enable SSO on the MyPage portal. 

Note: Ensure that SSO on the MyPage portal is enabled and protected using two-factor authentication, like in the below example using a Password and Access Policy.

  1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
  2. Select Create from Template.

  1. On the Basic Information page, enter the name for the application in the Name field. Then click the Next Step button.
  2. In the Basic Information section, choose Cloud. And select Next Step.

  1. In the Connection Profile Section, select IDP-initiated.

  1. In the date input method section ,select Enter Manually and provide the following details:
    1. In the Service Provider section, for Assertion Consumer Service URL copy paste the value from Skyhigh (Refer Skyhigh section).
    2. In the Service Provider section, for Service Provider Entity ID copy paste the value from Skyhigh (Refer Skyhigh section).
    3. In the Message Protection section, select SP signs SAML requests and choose the file downloaded from Skyhigh (Refer Skyhigh section).
    4. Select IDP signs assertion within response .Click Download Certificate to download the signing certificate which will be used in Skyhigh configuration.
    5. In the User Identity section ,choose Identifier Type as emailAddress and Property as AutoDetect.
  2. Copy the identity Provider URL .This will be used in Skyhigh configuration.
  3. Leave default value as is,  and click Next Step.
  4. Choose the proper Access Policy for this application and click Next Step.
  5. Make preferred changes in the Portal Display tab and Fulfillment tab, then click Next Step.
  6. Click Save and Finish.
  7. Click Publish Changes.  

Configure Skyhigh

Prerequisites

Application should be integrated with Skyhigh.
Box was used for our testing purpose. To configure Box, perform the following steps.

Skyhigh Configuration 

  1. Click the Gear icon.
  2. Go to Service Management > Add Service Instance > Select Box> Enable API.
  3. Copy the Security Cloud App ID ,which will be used in setting up Box.

Box Configuration 

  1. Log in to Box account with administrator credentials.
  2. Go to Admin Console >Integrations >Platform Apps Manager and add a new Server Authentication App. Provide the client ID as the Security Cloud App ID copied earlier.

Changes to policy Settings

  1. Log in to Skyhigh with admin credentials, and go to Policy >Policy Settings >Policy Settings.
  2. Enable end user remediation.

Note: If the End -User Input option is not available contact Skyhigh support. 

Data Storage 

For end user remediation Your own data storage needs to be used.

  1. Log in to AWS with administrator credentials, and create a S3 bucket. Then copy the ARN of the bucket as well as AWS ID.
  2. In the Data Storage section of the Policy Settings ,Paste the ARN, AWS ID and select the appropriate region.
  3. Test the connection ,save it and contact Skyhigh support to enable the same.

DLP Policy and Classification 

  1. Log in to Skyhigh as administrator.
  2. Go to Policy >DLP Policies >Classifications. Then create a custom classification.

  1. Go to Policy >DLP Policies >Classifications >Actions >Create New Policy.
  2. Create a new policy with deployment type as API, Services as the service instance you have created and rules and responses as per the business requirements.

Procedure 

  1. Log in to Trellix account and click the Skyhigh Security Cloud icon.
  2. Go to the Gear Icon at the top right, and then click User Management >SAML Configuration

  1. Go the End User tab and enable Single Sign On. Insert the the following values:
    1. Identity Provider Issuer URL: Copy paste this value from the RSA configuration (Refer RSA section).
    2. Identity Provider Certificate: Upload the certificate from the RSA configuration (Refer RSA section).
    3. Identity Provider Login URL: Will be same as Identity Provider Issuer.
    4. Signature Algorithm: SHA-256.
    5. SP-initiated Request Binding: HTTP-POST.
  1. Copy the Log in URL Endpoint which will be used as ACS URL on the RSA side.
  2. Copy the Entity ID which is the Service Provider Entity ID to be used on the RSA side.

Notes

  • Pre-requisites are from the time of creating this guide .For the latest information please refer to Skyhigh documentation.
  • Box is just one of the applications supported by Skyhigh and we used it to test the integration of end user remediation. For the latest list of applications supported by Skyhigh please refer to Skyhigh documentation.
  • The configurations and the screenshots presented here for the service instance additions and policy creation are for reference purpose. For the latest information on configuring please refer to the documentation of Skyhigh.

Return to Skyhigh - RSA Ready Implementation Guide

Related Articles

Trending Articles

Don't see what you're looking for?