Skyhigh End User Remediation Flow - SAML Relying Party Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate Skyhigh End User Remediation Flow with RSA Cloud Authentication Service using SAML Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using SAML  Relying Party. 

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Select the Authentication Clients > Relying Parties menu item at the top of the page.

  1. On the My Relying Parties page, Click the Add a Relying Party button.

  1. From the Relying Party Catalog, select the Add button for Service Provider SAML.

  1. On the Basic Information page, enter a name for the Service Provider in the Name field.
  2. Click the Next Step button.
  3. On the Authentication page, select SecurID Access manages all authentication.
  4. From the Primary Authentication Method pulldown, select your preferred log in method either Password or SecurID.
  5. From the Access Policy dropdown list, select a policy that was previously configured.

  1. Click Next Step.
  2. In Connection Profile, make the the following changes: 
    1. In the Data Input Method, choose Enter Manually.
    2. Go to the Service Provider section, and enter the following information: 

      • ACL URL – Copy and paste the Login URL Endpoint from Skyhigh(Refer Skyhigh section).
      • Service Provider Entity ID – Copy and paste the Entity ID from Skyhigh(Refer Skyhigh section).
    1. In Audience for SAML Response, select Default Service Provide Entity ID. 
    2. In the Message Protection section, check SP signs SAML Requests and upload the certificate downloaded from Skyhigh(Refer Skyhigh documentation).
    3. In SAML Response Protection, Select IDP signs assertion within response. Then download the certificate to be used in Skyhigh configuration.
    4. In User Identity field, select Identifier Type as Email Address, and Property as Auto Detect.
    5. Copy the Identity Provider Entity ID to be used on the Skyhigh configuration.
    6. Click Save and Finish.
  2. Click Publish the changes.

Configure Skyhigh

Prerequisites

Application should be integrated with Skyhigh.
Box was used for our testing purpose. To configure Box, perform the following steps.

Skyhigh Configuration 

  1. Click the Gear icon.
  2. Go to Service Management >Add Service Instance >Select Box >Enable API.
  3. Copy the Security Cloud App ID, which will be used in setting up Box.

Box Configuration 

  1. Log in to Box account with administrator credentials.
  2. Go to Admin Console >Integrations >Platform Apps Manager and add a new Server Authentication App. Provide the client ID as the Security Cloud App ID copied earlier.

Changes to policy Settings

  1. Log in to Skyhigh with admin credentials, and go to Policy >Policy Settings >Policy Settings.
  2. Enable end user remediation.

Note: If the End -User Input option is not available contact Skyhigh support.

Data Storage 

For end user remediation Your own data storage needs to be used.

  1. Log in to AWS with administrator credentials, and create a S3 bucket. Then copy the ARN of the bucket as well as AWS ID.
  2. In the Data Storage section of the Policy Settings ,Paste the ARN, AWS ID and select the appropriate region.
  3. Test the connection ,save it and contact Skyhigh support to enable the same.

DLP Policy and Classification 

  1. Log in to Skyhigh as administrator.
  2. Go to Policy >DLP Policies >Classifications. Then create a custom classification.

  1. Go to Policy >DLP Policies >Classifications >Actions >Create New Policy.
  2. Create a new policy with deployment type as API, Services as the service instance you have created and rules and responses as per the business requirements.

Procedure 

  1. Log in to Trellix account and click the Skyhigh Security Cloud icon.
  2. Go to the Gear Icon at the top right, and then click User Management >SAML Configuration

    1. Go the End User tab and enable Single Sign On. Insert the the following values:
        1. Identity Provider Issuer URL: Copy paste this value from the RSA configuration (Refer RSA section).
        2. Identity Provider Certificate: Upload the certificate from the RSA configuration (Refer RSA section).
        3. Identity Provider Login URL: Will be same as Identity Provider Issuer.
        4. Signature Algorithm: SHA-256.
        5. SP-initiated Request Binding: HTTP-POST.
    2. Copy the Log in URL Endpoint which will be used as ACS URL on the RSA side.
    3. Copy the Entity ID which is the Service Provider Entity ID to be used on the RSA side.

    Notes

    • Pre-requisites are from the time of creating this guide .For the latest information please refer to Skyhigh documentation.
    • Box is just one of the applications supported by Skyhigh and we used it to test the integration of end user remediation. For the latest list of applications supported by Skyhigh please refer to Skyhigh documentation.
    • The configurations and the screenshots presented here for the service instance additions and policy creation are for reference purpose. For the latest information on configuring please refer to the documentation of Skyhigh.

    Return to Skyhigh - RSA Ready Implementation Guide

    Related Articles

    Trending Articles

    Don't see what you're looking for?