Configure End User Single Sign-On settings

The end user single sign-on feature uses a third-party identity provider that authenticates user identity, attributes, and roles using your enterprise directory. End user single sign-on uses the Security Assertion Markup Language 2.0 (SAML2.0) data format to send messages to and receive responses from your identity provider. All communications between components are secured.

If you already have an identity provider supported by the cloud service, you can configure your provider to authenticate users browsing via the cloud proxy, enabling seamless end-user login.

When end users single sign-on is enabled, end users connecting to the cloud proxy are redirected to your identity provider, if specified in their policy. Once a user has been authenticated against your directory service, they are directed back to the proxy and the appropriate policy is applied. Clients who have authenticated once do not then have to re-authenticate for subsequent web browsing sessions, for a specified period of time (see Session timeout).

To configure end user single sign-on:

Steps

  1. Go to Web > Settings > End User Single Sign-on.
  2. Mark Use identity provider for single sign-on.
  3. For customers new to end user single sign-on, the Identity provider entry displays SAML 2.0 Compliant Identity Provider and cannot be changed.
    For customers who had configured end user single sign-on prior to the introduction of the SAML 2.0 Compliant Identity Provider option, the previously selected identity provider is displayed and a drop-down list offers the original provider and SAML 2.0 Compliant Identity Provider. The vendor-specific options remain available strictly to support customers already using them. It is recommended that all customers select the generic option.
  4. To enable your identity provider to work with end user single sign-on, you must provide metadata from your product.
    • If you select URL, locate the URL of your identity provider’s metadata and enter it in the field provided.
    • If you select File upload, click Browse to locate the exported metadata file from your identity provider.

      If you have previously uploaded a metadata file, the file name and date and time of upload are displayed on the page.

  5. In order for the cloud proxy to talk to your identity provider, you must upload cloud service SAML metadata to your product. Click the Metadata link to download this data file.
  6. Click the Root Certificate link and save the certificate file to a location on your network.
  7. Click Save.

    When you click Save, the specified metadata source is validated. If it is found to be invalid, the cloud portal displays an error and restores the previous configuration. This means either reverting to the previous metadata source if one was configured, or disabling the Use identity provider for single sign-on checkbox if you are configuring end user single sign-on for the first time.

Next steps

Once you have completed the setup on this page, you must do the following to complete end user single sign-on activation:

  • Add the downloaded SAML metadata file to your identity provider.
  • Deploy the root certificate to end users’ machines, using your preferred distribution method such as Group Policy Object (GPO).
  • Enable single sign-on for your policies on the Access Control tab.
Note: For more information on the end user single sign-on service, including detailed configuration guidance for supported providers, see the End User Single Sign-On Guide on the Support website.