Skyhigh Secure Web Gateway (Cloud using Browser Setting) - SAML Relying Party Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate RSA with Skyhigh Secure Web Gateway (Cloud using Browser Setting) using SAML Relying Party.

   

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a Relying Party to Skyhigh Secure Web Gateway (Cloud using Browser Setting).

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Click Authentication Clients > Relying Parties.
  3. On the My Relying Parties page, click the Add a Relying Party.
  4. On the Relying Party Catalog page, click Add for Service Provider SAML.
     
  5. On the Basic Information page, enter a name for the Service Provider in the Name field and click Next Step.
  6. On the Authentication page, choose SecurID Access manages all authentication.
  7. In the Primary Authentication Method drop-down list, select your desired login method as either Password or SecurID.
  8. In the Access Policy drop-down list, select a policy that was previously configured.
     
  9. Click Next Step.
  10. On the Connection Profile page, choose Enter Manually and provide the following values:
    1. ACS URLhttps://saml.wgcs.skyhigh.cloud/saml
    2. Service Provider Entity IDhttps://saml.wgcs.skyhigh.cloud
    3. Under the Audience for SAML Response section, select Default Service Provider Entity ID.
    4. Under the Message Protection section, for SAML Response Protection, select Idp signs assertion within response.
    5. Under the User Identity section, select Identifier Type and Property as Auto Detect.
    6. Under the Statements Attributes section, add email and group as the attributes.
  11. Click Save and Finish.
  12. On the My Relying Parties page, in the Edit drop-down list, select Metadata to download it.
  13. Click Publish Changes.

Note: The group and email values are constant in our configuration. This is done for testing purposes. These attributes can be retrieved from your identity source.

    

Configure Skyhigh Secure Web Gateway (Cloud using Browser Setting)

Perform these steps to configure Skyhigh Secure Web Gateway (Cloud using Browser Setting).
Procedure

  1. Log in to your Trellix account and click Skyhigh security cloud.
  2. Click the settings icon and click Infrastructure > Web Gateway Setup.
  3. Click New SAML in the Setup SAML section.
  4. Click Actions Import Idp Metadata.
  5. Import the metadata file downloaded from RSA.
  6. Fill in the values and select the checkbox as shown in the following figure. Copy the Identity Provider Entity ID from the RSA configuration if not auto-populated. This will be the value for SAML Identity Provider URL also.
  7. Add the domain names of the user’s e-mail.

    If the domains added are also present in the other tenants, then Skyhigh will throw an error as these domains identify the Identity provider to be used. 
  8. Download the Web Policy Certificate by visiting the following URL.
    https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(Cloud)/Configuring_a_Web_Policy_%E2%80%94_OId_View/Web_Policy_Certificate/Download_the_Skyhigh_Security_Secure_Web_Gateway_Cloud_Certificate_Bundle
    This URL is subject to change. Refer to the latest Skyhigh documentation for Skyhigh Security Secure Web Gateway Cloud Certificate bundle.
  9. Perform the following steps for installing the certificate on your local machine:
    1. Double-click the unzipped .crt file and click Install Certificate.
    2. Choose Current User and click Next.
    3. Select the store as Trusted Root Certification Authorities and click OK.
  10. Click Next and click Finish.
  11. Click Policy Web Policy > Policy
  12. Select HTTPS Scanning and click the gear icon against HTTPS Connection Options.
  13. Click the three-dots icon against the certificate name and export it. Rename the file to .crt type and install the certificate on your machine by following the process mentioned in the preceding steps.
  14. (Optional) Navigate to Policy > Web Policy > Policy Global Block > Global Block Lists and add the URLs that need to be blocked. These URLs will be blocked even after the user is authenticated by RSA.
  15. Click the settings icon and navigate to Infrastructure Client Proxy Management > Global Configuration > Tenant Authentication and copy the Customer ID.
  16. Navigate to the proxy settings of your machine and enable the proxy server.
  17. Add the following values:
    • Address: http://c+<Customer ID copied from the previous step>.wgcs.skyhigh.cloud
    • Port: 8084
  18. Add the following exceptions along with your requirements:
    *.trellix.com; *.securid.com;dashboard-us.ui.skyhigh.cloud;webpolicy.cloud.mvision.skyhigh.cloud;*.myshn.net
  19. Click Save.

 

The configuration is complete.

Return to Skyhigh Secure Web Gateway (Cloud using Browser Setting) - RSA Ready Implementation Guide.

 

Related Articles

Trending Articles

Don't see what you're looking for?