Safous ZTNA service has a unique feature where customer can create an authentication federation for all IdPs that actually integrated with Safous ZTNA service. This feature name is SaaS App, which basically it will acts as the SAML IdP while conducting SSO with Services Providers. In addition, this application is also beneficial for connecting to SaaS applications, enabling a very straightforward SaaS SSO operation using the Safous ZTNA IdP as the only IdP for conducting the SSO.
To create a SaaS application, you need to have admin user privileges to configure your environment, including adding applications. For more information on Admin access, please refer to the KB article below.:
- Login to https://portal.safous.com
- Go to Settings tab> ZTNA
- In Application, choose SaaS
- Click New SaaS, it will expand multiple forms to be filled for new application
- Fill Name information, which is a required field and must have a unique value compared to other applications
- Site field is required, and by default, it uses 'all', which you can leave unchanged. However, for multisite deployments, it's recommended to choose the correct site based on the application location
- Domain is required, but it will shows the default domain that your tenant currently registered
- ACS URL / Login URL is required value, which is an URL endpoint on the service provider (SP) where the identity provider will redirect to with its authentication response
- Entity ID is required, which is unique identifier that is the intended audience of the SAML assertion. This is usually the SP Entity ID of the application as defined in the service provider metadata file under entityID
- Relay State is also required value, where SP can send some value to the IdP together with the Authentication request and then get the same value back. Relay State is used by the IdP to signal to the SP which URL the SP should redirect to after successful sign on
- Encrypt SAML Assertion, by default is disabled. If you enabled this option then you also need to input certificate from SP, because it used to encrypt the assertion for a SaaS mapping
- Visible toggle, where you can choose to make it visible (green) in user-portal or not (by default it's disabled)
- Icon which you can upload your preferred custom logo, if not it will use a default logo
- Allow IDP-Initiated Flow is by default enabled, it is being use for a SaaS mapping initiated by IdP. You can leave this as is
- Use URI suffix as relay state parameter is disabled by default, which specifies whether you want the relay state is relative for SaaS mapping or not
- Fill Name information, which is a required field and must have a unique value compared to other applications
- Once every field has been filled and choose, the only thing to do is click "Save"
- Then it will give the successful notification
- Once created, you can access the application setting then you will find detail information about SSO URL, Issuer and Metadata which is needed on SP SAML integration
Service Provider Side - Configuration
You can choose any service provider that align with your needs and also support SAML IdP (Identity Provider) integration. To use Safous ZTNA service as a IdP in your service provider, normally input form like below will be shown in Service Provider side (same as ACS URL, Entity ID, and Relay State information in above section):
- Fill Entity ID, with below information from Safous SaaS application
- Fill SSO Service / SAML Endpoint, with below information from Safous SaaS application
- Fill x509 Certificate, with below information from Safous SaaS application
