Skyhigh Secure Web Gateway (Cloud using Agents) - SAML My Page SSO Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate Skyhigh Secure Web Gateway ((Cloud using Agents) with RSA Cloud Authentication Service using My Page SSO.

   

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.

Procedure

  1. Sign in to RSA Cloud Administration Console. 
  2. Enable My Page SSO by accessing the RSA Cloud Administration Console > Access My Page > Single Sign-On (SSO). Ensure it is enabled and protected using two-factor authentication - Password and Access Policy.
  3. On the Applications Application Catalog page, click Create From Template.
  4. Click Select for SAML Direct.
  5. On the Basic Information page, choose Cloud.
  6. Enter the name for the application in the Name field and select Next Step.
  7. On the Connection Profile page, choose SP-initiated
  8. In the Connection URL field, enter https://saml.wgcs.skyhigh.cloud/saml.
  9. In the Data Input Method section, choose Enter Manually and provide the following values: 
    1. Assertion Consumer Service(ACS) URLhttps://saml.wgcs.skyhigh.cloud/saml
    2. Service Provider Entity IDhttps://saml.wgcs.skyhigh.cloud
    3. Identity Provider Entity ID: Select the default value if not already selected.
    4. Audience for SAML Response: Select the default value if not already selected.
    5. Under the SAML Response Protection subsection of the Message Protection section, select IdP signs assertion within response.
    6. Under User Identity, select Identifier Type as Auto Detect and Property as mail.
    7. Under Statement Attributes, add email as an attribute.
  10. Click Next Step.
  11. Choose your desired Access Policy for this application and click Next Step.
  12. Make the desired changes to the portal display option and click Next Step.
  13. Make the desired changes to the Fulfillment form and click Next Step.
  14. Click Save and Finish.
  15. Click Publish Changes.
  16. On the My Applications page, click the Edit drop-down icon for the created application and select Export Metadata to download the metadata.

     

Notes:

    • IdP-initiated flow is not supported for this integration.
    • The email value is constant in our configuration. This is done for testing purposes. These attributes can be retrieved from your identity source.

  

Configure Skyhigh Secure Web Gateway (Cloud using Agents)

Perform these steps to configure Skyhigh Secure Web Gateway (Cloud using Agents).
Procedure

  1. Log in to your Trellix account and click Skyhigh security cloud.
  2. Click the settings icon and click Infrastructure > Web Gateway Setup.
  3. Click New SAML in the Setup SAML section.
  4. Click Actions Import Idp Metadata.
  5. Import the metadata file downloaded from RSA.
  6. Fill in the following values and select the checkbox.
    1. Service Provider Entity IDhttps://saml.wgcs.skyhigh.cloud
    2. User ID Attribute in SAML Response: email
    3. Group ID Attribute in SAML Response: memberOf
  7. Add the domain names of the user’s e-mail.

    If the domains added are also present in the other tenants, then Skyhigh will throw an error as these domains identify the Identity provider to be used. 
  8. Download the Web Policy Certificate by visiting the following URL.
    https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(Cloud)/Configuring_a_Web_Policy_%E2%80%94_OId_View/Web_Policy_Certificate/Download_the_Skyhigh_Security_Secure_Web_Gateway_Cloud_Certificate_Bundle
    This URL is subject to change. Refer to the latest Skyhigh documentation for Skyhigh Security Secure Web Gateway Cloud Certificate bundle.
  9. Perform the following steps for installing the certificate on your local machine:
    1. Double-click the unzipped .crt file and click Install Certificate.
    2. Choose Current User and click Next.
    3. Select the store as Trusted Root Certification Authorities and click OK.
    4. Click Next and click Finish.
  10. Click Policy Web Policy > Policy.
  11. Select HTTPS Scanning and click the gear icon against HTTPS Connection Options.
  12. Click the three-dots icon against the certificate name and export it. Rename the file to .crt type and install the certificate on your machine by following the process mentioned in the preceding steps.
  13. (Optional) Navigate to Policy > Web Policy > Policy Global Block > Global Block Lists and add the URLs that need to be blocked. These URLs will be blocked even after the user is authenticated by RSA.
  14. Click the gear icon, navigate to Infrastructure > Web Gateway Setup > Get SCP > Manage SCP, and select the policy created under Configuration Policies.
  15. Click Proxy Bypass.

  16. Click Bypass all proxies for traffic to these domains and add the following entries with your requirements.
    myshn.net
    webpolicy.cloud.mvision.skyhigh.cloud
    dashboard-us.ui.skyhigh.cloud
    securid.com
    trellix.com
  17. Click OK.

  18. (Optional) To add the processes to the list for Bypassing the proxy, find out the process names from the task manager and add those entries in Bypass all the proxies for traffic from these processes.
  19. Click Save.
  20. Select the Gateway List and create a Gateway if not already created with the following details.
    1. Gateway Hostname: c<CustomerID>.wgcs.skyhigh.cloud
    2. Listening Port: 8080
  21. Navigate to Policy > Web Policy > Policy > SAML Authentication.
  22. Click the gear icon and select the SAML configuration.
  23. Select custom SAML Authentication Preference if one is created.
  24. Navigate to SCP Configuration > Configuration Policies and select your policy.
  25. Click Actions > Export Bundle.
  26. Unzip the zip file and run the .msi file to install.
  27. Navigate to SCP Configuration > Configuration Policies and select your policy.
  28. Click Actions > Export Policy.
  29. Rename the downloaded file to scppolicy.opg and place it in C:\ProgramData\Skyhigh\SCP\Policy\Temp (Program Data is a hidden folder).
  30. Click the Windows Start menu > About Skyhigh client proxy. Connection status should be connected and the Policy Revision number should match the Revision number on the SCP configuration policy.

  

Notes

  • Only SP-initiated flow is supported .
  • Customer ID can be retrieved from SCP Configuration > Global Configuration > Tenant Authentication.
  • By default, the timeout for the proxy using agents is 72000 seconds. To reduce this, select custom SAML Authentication Preference on Web Policy > SAML Authentication > gear icon.

    To create the custom SAML Authentication Preference, navigate to Policy > Web Policy > Feature Configuration > SAML Authentication Preference (in the left pane).
     

 

The configuration is complete.

Return to Skyhigh Secure Web Gateway (Cloud using Agents) - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?