Skyhigh Secure Web Gateway (Cloud using Agents) - SAML Relying Party Configuration - RSA Ready Implementation Guide
a year ago

This article describes how to integrate RSA with Skyhigh Secure Web Gateway (Cloud using Agents) using SAML Relying Party.

   

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as a Relying Party to Skyhigh Secure Web Gateway (Cloud using Agents).

Procedure

  1. Sign in to RSA Cloud Administration Console.
  2. Click Authentication Clients > Relying Parties.
  3. On the My Relying Parties page, click the Add a Relying Party.
  4. On the Relying Party Catalog page, click Add for Service Provider SAML.
  5. On the Basic Information page, enter a name for the Service Provider in the Name field and click Next Step.
  6. On the Authentication page, choose SecurID Access manages all authentication.
  7. In the Primary Authentication Method drop-down list, select your desired login method as either Password or SecurID.
  8. In the Access Policy drop-down list, select a policy that was previously configured.
  9. Click Next Step.
  10. On the Connection Profile page, choose Enter Manually and provide the following values:
    1. ACS URLhttps://saml.wgcs.skyhigh.cloud/saml
    2. Service Provider Entity IDhttps://saml.wgcs.skyhigh.cloud
    3. Under the Audience for SAML Response section, select Default Service Provider Entity ID.
    4. Under the Message Protection section, for SAML Response Protection, select Idp signs assertion within response.
    5. Under the User Identity section, select Identifier Type and Property as Auto Detect.
    6. Under the Statements Attributes section, add email as an attribute.
  11. Click Save and Finish.
  12. On the My Relying Parties page, in the Edit drop-down list, select Metadata to download it.
  13. Click Publish Changes.

Note: The email value is constant in our configuration. This is done for testing purposes. These attributes can be retrieved from your identity source.

Configure Skyhigh Secure Web Gateway (Cloud using Agents)

Perform these steps to configure Skyhigh Secure Web Gateway (Cloud using Agents).
Procedure

  1. Log in to your Trellix account and click Skyhigh security cloud.
  2. Click the settings icon and click Infrastructure > Web Gateway Setup.

  3. Click New SAML in the Setup SAML section.
  4. Click Actions Import Idp Metadata.
  5. Import the metadata file downloaded from RSA.
  6. Fill in the following values and select the checkbox. 
    1. Service Provider Entity IDhttps://saml.wgcs.skyhigh.cloud
    2. User ID Attribute in SAML Response: email
    3. Group ID Attribute in SAML Response: memberOf
  7. Add the domain names of the user’s e-mail.

    If the domains added are also present in the other tenants, then Skyhigh will throw an error as these domains identify the Identity provider to be used. 
  8. Download the Web Policy Certificate by visiting the following URL.
    https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(Cloud)/Configuring_a_Web_Policy_%E2%80%94_OId_View/Web_Policy_Certificate/Download_the_Skyhigh_Security_Secure_Web_Gateway_Cloud_Certificate_Bundle
    This URL is subject to change. Refer to the latest Skyhigh documentation for Skyhigh Security Secure Web Gateway Cloud Certificate bundle.
  9. Perform the following steps for installing the certificate on your local machine:
      1. Double-click the unzipped .crt file and click Install Certificate.
      2. Choose Current User and click Next.
      3. Select the store as Trusted Root Certification Authorities and click OK.

      4. Click Next and click Finish.
  10. Click Policy Web Policy > Policy.

  11. Select HTTPS Scanning and click the gear icon against HTTPS Connection Options.
  12. Click the three-dots icon against the certificate name and export it. Rename the file to .crt type and install the certificate on your machine by following the process mentioned in the preceding steps.

  13. (Optional) Navigate to Policy > Web Policy > Policy Global Block > Global Block Lists and add the URLs that need to be blocked. These URLs will be blocked even after the user is authenticated by RSA.

  14. Click the gear icon, navigate to Infrastructure > Web Gateway Setup > Get SCP > Manage SCP, and select the policy created under Configuration Policies.
  15. Click Proxy Bypass.

  16. Click Bypass all proxies for traffic to these domains and add the following entries with your requirements.
    myshn.net
    webpolicy.cloud.mvision.skyhigh.cloud
    dashboard-us.ui.skyhigh.cloud
    securid.com
    trellix.com
  17. Click OK.

  18. (Optional) To add the processes to the list for Bypassing the proxy, find out the process names from the task manager and add those entries in Bypass all the proxies for traffic from these processes.
  19. Click Save.
  20. Select the Gateway List and create a Gateway if not already created with the following details.
      1. Gateway Hostname: c<CustomerID>.wgcs.skyhigh.cloud
      2. Listening Port: 8080
  21. Navigate to Policy > Web Policy > Policy SAML Authentication.
  22. Click the gear icon and select the SAML configuration.
  23. Select custom SAML Authentication Preference if one is created.
  24. Navigate to SCP Configuration > Configuration Policies and select your policy.
  25. Click Actions Export Bundle.
  26. Unzip the zip file and run the .msi file to install.
  27. Navigate to SCP Configuration > Configuration Policies and select your policy.
  28. Click Actions Export Policy.
  29. Rename the downloaded file to scppolicy.opg and place it in C:\ProgramData\Skyhigh\SCP\Policy\Temp (Program Data is a hidden folder).
  30. Click the Windows Start menu > About Skyhigh client proxy. Connection status should be connected and the Policy Revision number should match the Revision number on the SCP configuration policy.

  

Notes

  • Only SP-initiated flow is supported.
  • Customer ID can be retrieved from SCP Configuration > Global Configuration > Tenant Authentication.
  • By default, the timeout for the proxy using agents is 72000 seconds. To reduce this, select custom SAML Authentication Preference on Web Policy > SAML Authentication > gear icon.

    To create the custom SAML Authentication Preference, navigate to Policy Web Policy > Feature Configuration > SAML Authentication Preference (in the left pane). 

 

The configuration is complete.

Return to Skyhigh Secure Web Gateway (Cloud using Agents) - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?