Skyhigh Secure Web Gateway (Cloud using Browser Setting) - SAML My Page SSO Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate Skyhigh Secure Web Gateway (Cloud using Browser Setting) with RSA Cloud Authentication Service using My Page SSO.

   

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure

  1. Sign in to RSA Cloud Administration Console. 
  2. Enable My Page SSO by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO). Ensure it is enabled and protected using two-factor authentication - Password and Access Policy.
  3. On the Applications > Application Catalog page, click Create From Template.
  4. Click Select for SAML Direct.
  5. On the Basic Information page, choose Cloud.
  6. Enter the name for the application in the Name field and select Next Step.
  7. On the Connection Profile page, choose SP-initiated
  8. In the Connection URL field, enter https://saml.wgcs.skyhigh.cloud/saml.
  9. In the Data Input Method section, choose Enter Manually and provide the following values: 
    1. Assertion Consumer Service(ACS) URL: https://saml.wgcs.skyhigh.cloud/saml
    2. Service Provider Entity IDhttps://saml.wgcs.skyhigh.cloud
    3. Identity Provider Entity ID: Select the default value if not already selected.
    4. Audience for SAML Response: Select the default value if not already selected.
    5. Under the SAML Response Protection subsection of the Message Protection section, select IdP signs assertion within response.
    6. Under User Identity, select Identifier Type as Auto Detect and Property as mail.
    7. Under Statement Attributes, add email and group as attributes.
  10. Click Next Step.
  11. Choose your desired Access Policy for this application and click Next Step.
  12. Make the desired changes to the portal display option and click Next Step.
  13. Make the desired changes to the Fulfillment form and click Next Step.
  14. Click Save and Finish.
  15. Click Publish Changes.
  16. On the My Applications page, click the Edit drop-down icon for the created application and select Export Metadata to download the metadata.

Notes:

  • IdP-initiated flow is not supported for this integration.
  • The group and email values are constant in our configuration. This is done for testing purposes. These attributes can be retrieved from your identity source.

    

Configure Skyhigh Secure Web Gateway (Cloud using Browser Setting)

Perform these steps to configure Skyhigh Secure Web Gateway (Cloud using Browser Setting).
Procedure

  1. Log in to your Trellix account and click Skyhigh security cloud.
  2. Click the settings icon and click Infrastructure > Web Gateway Setup.
  3. Click New SAML in the Setup SAML section.
  4. Click Actions > Import Idp Metadata.
  5. Import the metadata file downloaded from RSA.
  6. Fill in the values and select the checkbox as shown in the following figure.
  7. Add the domain names of the user’s e-mail.

    If the domains added are also present in the other tenants, then Skyhigh will throw an error as these domains identify the Identity provider to be used.
  8. Download the Web Policy Certificate by visiting the following URL.
    https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(Cloud)/Configuring_a_Web_Policy_%E2%80%94_OId_View/Web_Policy_Certificate/Download_the_Skyhigh_Security_Secure_Web_Gateway_Cloud_Certificate_Bundle
    This URL is subject to change. Refer to the latest Skyhigh documentation for Skyhigh Security Secure Web Gateway Cloud Certificate bundle.
  9. Perform the following steps for installing the certificate on your local machine:
    1. Double-click the unzipped .crt file and click Install Certificate.
    2. Choose Current User and click Next.
    3. Select the store as Trusted Root Certification Authorities and click OK.
    4. Click Next and click Finish.
  10. Click Policy > Web Policy > Policy
  11. Select HTTPS Scanning and click the gear icon against HTTPS Connection Options.
  12. Click the three-dots icon against the certificate name and export it. Rename the file to .crt type and install the certificate on your machine by following the process mentioned in the preceding steps.
  13. (Optional) Navigate to Policy > Web Policy > Policy > Global Block > Global Block Lists and add the URLs that need to be blocked. These URLs will be blocked even after the user is authenticated by RSA.
  14. Click the settings icon and navigate to Infrastructure > Client Proxy Management > Global Configuration > Tenant Authentication and copy the Customer ID.
  15. Navigate to the proxy settings of your machine and enable the proxy server.
  16. Add the following values:
    • Address: http://c+<Customer ID copied from the previous step>.wgcs.skyhigh.cloud
    • Port: 8084
  17. Add the following exceptions along with your requirements:
    *.trellix.com; *.securid.com;dashboard-us.ui.skyhigh.cloud;webpolicy.cloud.mvision.skyhigh.cloud;*.myshn.net
  18. Click Save.

 

The configuration is complete.

Return to Skyhigh Secure Web Gateway (Cloud using Browser Setting) - RSA Ready Implementation Guide.

    

Related Articles

Trending Articles

Don't see what you're looking for?