This article helps you to configure a new SaaS application (SAML IdP) in the Safous ZTA environment
Safous ZTA service has a unique feature where customers can create an authentication federation for all IdPs that are integrated with the Safous ZTA service. This feature is called the SaaS App and essentially acts as the SAML IdP while conducting Single Sign-On (SSO) with the service providers. Additionally, this application is beneficial for connecting to SaaS applications, enabling a straightforward SaaS SSO operation using the Safous ZTA IdP as the sole IdP for conducting the SSO.
To create a SaaS application, you need administrator privileges to configure your environment, including adding applications. Please refer to the following knowledge base articles about the access: Login to Admin Portal
Page of SaaS applications:
- Go to the Settings > ZTNA.
- In Applications, choose SaaS.
Several columns and buttons will appear as follows:
(1) New SaaS button: Create a new SaaS application.
(2) Search field: Search for a SaaS application by its name.
(3) Status: Shows the status of the application. Can be toggled on (enabled) or off (disabled).
(4) Name: Shows the name of the SaaS application.
(5) ACS URL: Shows the SP's ACS URL configured for the SaaS application.
(6) Category: Shows the categories associated with the applications.
(7) Expand/Shrink button: A '+' button to expand and a '–' button to shrink the SaaS application's detailed information.
Clicking the + button will show several configuration parameters as follows:
(1) Edit button: Allow modification of the SaaS application's configurations.
(2) Delete button: Delete the application.
The following parameters also need to be defined during a new SaaS application registration:
(3) Name: Name of the SaaS application.
(4) Site: The list of sites where the application is published. Only select the sites where it can reach the application's address.
(5) Domain: Tenant's domain.
(6) ACS URL: ACS URL provided by the service provider (must use HTTPS protocol).
(7) Entity ID: Entity ID of the service provider. Can accept URN and URL.
(8) Relay State: The value for Relay State to the Service Provider. Can accept URL or hashed values.
(9) Encrypt SAML Assertion: Control whether the SAML assertion sent is to be encrypted or not. If enabled, the service provider's certificate must be provided in the configuration.
(10) Visible: Control whether the application should be visible in the user portal or not.
- If toggled on, the user can see, click, and access the application from the user portal.
- If toggled off, the user cannot see or click the application on the user portal, but it can still be accessed by entering the access URL in a browser.
(11) Icon Upload button: Upload an icon image from the local drive.
(12) Icon Image: Icon for the application. By default, it will automatically use the favicon of the ACS URL; otherwise, no icon. It can be changed by uploading an icon from the local drive.
(13) Allow IDP-Initiated Flow: Control whether the user can log in to the application directly when accessing from the user portal or not.
(14) Use URI suffix as relay state parameter: Decide whether to use URI suffix as relay state parameter or not.
(15) Category: Select the list of categories to associate with the application.
(16) Policies (Condition and Action): Define the policy to be applied to the application.
- Accounts: Define the entities that should be applied to the policy.
- Condition: Select the access condition that should apply to the policy from the list of available conditions.
- Action: Select the configuration that should apply to the policy for the SaaS application from the list of available actions.
(17) Status: Set the status of the policy. Toggle on to enable, toggle off to disable
(18) Identity Provider Info: A set of IdP-side SAML information that needs to be configured on the Service Provider's side.- SSO URL: The IdP's login URL.
- Metadata: Metadata document of the Safous SaaS application's IdP.
- Issuer: Entity ID of the IdP.
- Certificate: X509 certificate of the IdP.