Configure End User Single Sign-On settings
The end user single sign-on feature uses a third-party identity provider that authenticates user identity, attributes, and roles using your enterprise directory. End user single sign-on uses the Security Assertion Markup Language 2.0 (SAML2.0) data format to send messages to and receive responses from your identity provider. All communications between components are secured.
If you already have an identity provider supported by the cloud service, you can configure your provider to authenticate users browsing via the cloud proxy, enabling seamless end-user login.
When end users single sign-on is enabled, end users connecting to the cloud proxy are redirected to your identity provider, if specified in their policy. Once a user has been authenticated against your directory service, they are directed back to the proxy and the appropriate policy is applied. Clients who have authenticated once do not then have to re-authenticate for subsequent web browsing sessions, for a specified period of time (see Session timeout).
To configure end user single sign-on:
Steps
Next steps
Once you have completed the setup on this page, you must do the following to complete end user single sign-on activation:
- Add the downloaded SAML metadata file to your identity provider.
- Deploy the root certificate to end users’ machines, using your preferred distribution method such as Group Policy Object (GPO).
- Enable single sign-on for your policies on the Access Control tab.