Configure an identity provider for single sign-on

To use SAML-based authentication for access control to your private applications, configure a third-party identity provider (IdP) for single sign-on.

Tip: For initial testing purposes, or if SAML-based authentication is not required, you can skip this step. Private application traffic is authenticated by the endpoint client if SAML authentication is not set in your access rules. Note that Mac OS versions of the endpoint client do not supply user identity. SAML authentication is required for users with Mac OS endpoint.

If required by a policy rule, SAML-based authentication is used to authenticate users with the service using your third-party IdP. The user's current authentication status is checked, and if required, a SAML request is forwarded to your configured IdP.

To enable SAML-based authentication:
  1. Add your identity provider on the Administration > Authentication > Identity provider page.
  2. Configure your identity provider for single sign-on to Private Access, using the details on the Identity provider page.
  3. Configure a SAML authentication private application on the Administration > Connectivity > Private applicationspage.
  4. (Cloud Security Gateway only): add a proxy bypass destination for your SAML authentication private application in the Cloud Security Gateway portal.
  5. Enable SAML authentication in your policy rules, and deploy your changes.