Upload a certificate and key

1. Select Use Uploaded Certificate and Key.

2. In the Certificate field, click Browse; locate the file to upload.

   Note	The Web Proxy uses the first certificate or key in the file. The certificate file must be in PEM format. DER format is not supported.

3. In the Key field, click Browse; locate the file to upload.

   If the key is encrypted, select Key is Encrypted.

   Note	The key length must be 512, 1024, or 2048 bits. The private key file must be in PEM format. DER format is not supported.

4. Click Upload Files.
5. Click Download Certificate to download a copy of the certificate for transfer to the SaaS applications with which the Web Security appliance will communicate.

Generate a certificate and key

1. Select Use Generated Certificate and Key.

2. Click Generate New Certificate and Key.

   1. In the Generate Certificate and Key dialog box, enter the information to display in the signing certificate.

      Note	You can enter any ASCII character except the forward slash ( / ) in the Common Name field.

   2. Click Generate.

3. Click Download Certificate to transfer the certificate to the SaaS applications with which the Web Security appliance will communicate.
4. (Optional) To use a signed certificate, click the Download Certificate Signing Request (DCSR) link to submit a request to a certificate authority (CA). After you receive a signed certificate from the CA, click Browse and navigate to the signed certificate location. Click Upload File. (bug 37984)

Application Name

Enter a name to identify the SaaS application for this policy; each application name must be unique. The Web Security appliance uses the application name to generate a single sign-on URL.

Description

(Optional) Enter a description for this SaaS policy.

Metadata for Service Provider

Configure the metadata that describes the service provider referenced in this policy. You can either describe the service provider properties manually or upload a metadata file provided by the SaaS application.

The Web Security appliance uses the metadata to determine how to communicate with the SaaS application (service provider) using SAML. Contact the SaaS application to learn the correct settings to configure the metadata.

Configure Keys Manually – If you select this option, provide the following:

• Service Provider Entity ID. Enter the text (typically in URI format) the SaaS application uses to identify itself as a service provider.
• Name ID Format. Choose from the drop-down list the format the appliance should use to identify users in the SAML assertion it sends to service providers. The value you enter here must match the corresponding setting configured on the SaaS application.
• Assertion Consumer Service URL. Enter the URL to which the Web Security appliance is to send the SAML assertion it creates. Read the SaaS application documentation to determine the correct URL to use (also known as the login URL).

Import File from Hard Disk – If you select this option, click Browse, locate the file, and then click Import.

User Identification / Authentication for SaaS SSO

Specify how users are identified/authenticated for SaaS single sign-on:

• Always prompt users for their local authentication credentials.
• Prompt users for their local authentication credentials if the Web Proxy obtained their user names transparently.
• Automatically sign in SaaS users using their local authentication credentials.

Choose the authentication realm or sequence the Web Proxy should use to authenticate users accessing this SaaS application. Users must be a member of the authentication realm or authentication sequence to successfully access the SaaS application. If an Identity Services Engine is used for authentication, and LDAP was selected, the realm will be used for the SAML user names and attribute mapping.

SAML User Name Mapping

Specify how the Web Proxy should represent user names to the service provider in the SAML assertion. You can pass the user names as they are used inside your network (No mapping), or you can change the internal user names into a different format using one of the following methods:

• LDAP query. The user names sent to the service provider are based on one or more LDAP query attributes. Enter an expression containing LDAP attribute fields and optional custom text. You must enclose attribute names in angled brackets. You can include any number of attributes. For example, for the LDAP attributes “user” and “domain,” you could enter <user>@<domain>.com.
• Fixed Rule Mapping. The user names sent to the service provider are based on the internal user name with a fixed string added before or after the internal user name. Enter the fixed string in the Expression Name field, with %s either before or after the string to indicate its position in the internal user name.

SAML Attribute Mapping

(Optional) You can provide to the SaaS application additional information about the internal users from the LDAP authentication server if required by the SaaS application. Map each LDAP server attribute to a SAML attribute.

Authentication Context

Choose the authentication mechanism the Web Proxy uses to authenticate its internal users.