Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

SaaS Modes of Support

SaaS Application Categories

SaaS applications supported by Skyhigh CASB are divided into three categories: Collaboration Apps, Structured Apps, and Long-tail SaaS Apps.

Collaboration Apps

Office 365 (OneDrive, SharePoint, Teams, Exchange Online), G Suite for Business, Box, Slack.

Structured Apps

Salesforce, ServiceNow, SuccessFactors, Workday, Microsoft Dynamics.

Long-tail Apps

Any app that doesn't fall into one of the two categories above falls into the long-tail SaaS apps category (including any new SaaS application requested by customers). 

Examples: Atlassian Jira and Confluence, GitHub, Smartsheet, etc.

Use Cases

Data Loss Prevention (DLP)

Identify sensitive content uploaded/updated in SaaS application and delete/quarantine, apply classification/DRM, and/or notify users. 

Secure Collaboration

  • Monitors sensitive content shared with unauthorized external users and remove sharing.
  • Monitors unauthorized external users being invited to SaaS application resources and remove access.

Connected Apps

Enforce controls on apps installed in SaaS applications from the online marketplace.

Configuration Audit

Scan configuration settings in SaaS applications and recommend best practices.

Access Control

Block Unmanaged Devices

Block unmanaged devices during sign-in. This use case doesn't require Skyhigh CASB to be inline between user and application. SAML Proxy can be configured to monitor device type during SAML SSO login flow and block the device if it is unmanaged. Customers can set up SAML Proxy on their own by following the documentation. For details, see SAML Proxy Deployment Guide.

Block Specific Activity on Unmanaged Devices

Allow the users to sign-in but block specific activity such as downloads on to unmanaged devices. This requires Skyhigh CASB to be inline between the user's device and application. 

Block Sensitive Data Transfers to Unmanaged Devices

Block any sensitive content being downloaded on to unmanaged devices. This requires Skyhigh CASB to be inline between the user's device and application.

DRM/Classification on Downloads

Protect/classify any sensitive documents being downloaded on to unmanaged devices with DRM/Classification products. This requires Skyhigh CASB to be inline between the user's device and application.


Structured and unstructured data encryption with the ability to leverage keys managed by customers. 

Use Cases and Modes of Support


Use Case
Collaboration Apps
Structured Apps
Long-tail Apps (with APIs)
Long-tail Apps (without APIs)
DLP API API/Reverse Proxy API FW Proxy (SSE)
Secure Collaboration API API API Not Supported
Activity Monitoring and UEBA API API/Reverse Proxy API FW Proxy (SSE)
Connected Apps API API API Not Supported

Configuration Audit

API API API Not Supported
Access Control: Block unmanaged devices SAML Proxy SAML Proxy SAML Proxy SAML Proxy
Access Control: Block specific activity (downloads) on unmanaged devices

Reverse Proxy OR (SAML Proxy + RBI)

Reverse Proxy OR (SAML Proxy + RBI)

SAML Proxy + RBI

SAML Proxy + RBI

Access Control: Block sensitive data downloads to unmanaged devices Reverse Proxy OR (SAML Proxy + RBI) Reverse Proxy OR (SAML Proxy + RBI) Not Supported Not Supported
DRM/Classification on downloads Reverse Proxy Reverse Proxy Not Supported Not Supported
Encryption N/A Reverse Proxy N/A N/A



What is the difference between SAML Proxy and Reverse Proxy?

SAML Proxy doesn't require Skyhigh CASB to proxy the communication between user and application. SAML Proxy only comes into action during SAML SSO sign-in (by configuring IDP to redirect to a custom domain hosted by Skyhigh CASB momentarily) to check the device type being used and completely block access if it is an unmanaged device. Reverse proxy involves Skyhigh CASB being inline between user and application and intercepting all the traffic. 

What if a customer requests a new SaaS application? 

Log a support request with the required information. For more details, see CASB Connect. If the application has APIs, Skyhigh Security prioritizes the roadmap and build API integration. If the application doesn't have APIs, then it is recommended to use FW Proxy (SSE) for DLP and Activity Monitoring (roadmap) use cases. Even if the application has APIs, given that prioritizing API integration and delivering an API-based solution is going to take time, it is recommended for customers to take advantage of FW Proxy (SSE) right away and create a feature enhancement request for an API-based solution in parallel. 

  • Was this article helpful?