Skip to main content
Skyhigh Security

SAML Authentication — Require SAML Authentication and Configure Exceptions

You can configure that exceptions are made when SAML authentication is required for users who request web access. For example, you can configure that SAML authentication is skipped when access to partticular domains is requested or for users who have already been authenticated using another authentication method. 

  1. On the user interface for Secure Web Gateway, select Policy > Web Policy > Policy.
  2. On the policy tree in the navigation panel, expand SAML Authentication and select SAML Authentication.

    The selected rule set appears in the configuration area on the right. 

  3. Configure when this rule set should apply.

    • Under Criteria, leave the default All traffic, as you want the rules in this rule set to apply to all types of web traffic.

    • Next to Applies to, leave the default Request, as you want the rules in this rule set to be processed in the request cycle of web filtering on Secure Web Gateway.

      clipboard_e6bc333542d13767bb9f4c100389adb21.png

  4. Click the settings icon to configure settings for this rule set in a panel that is inserted on the right. The settings that are currently in use are shown as selected on the panel.

    When configuring these settings, you can select an SAML configuration with parameters for the authentication process. You can also configure how to handle request if the client IP address cannot be retrieved for the authentication process or no cookies can be set.

  5. To allow requests for accessing some websites to skip SAML authentication, configure lists for the rules that are preset here for this purpose. They are shown under Preset Rules.

    Click the three dots at the end of the line for a rule or the rule name, which is marked in blue, then work with the options for list handling that are provided.

    SAML authentication is skipped for the items that you enter in the lists. You can skip SAML authentication for requests to access:

    • Domains (specified by SmartMatch terms)

    • Domains (specified by Regex terms)

    • Destination IP addresses

    • URL categories

      clipboard_ed91127cb973c80856863fe0972b028ef.png

  6. Enable or disable the rule for skipping authentication if a user is already authenticated by Skyhigh Client Proxy (SCP) or Mobile Cloud Security (MCS).

    clipboard_e1441d10de2760d5005864861f6200503.png

To enable or disable the complete rule set, use the On/Off toggles.

The filtering process will now follow what you have configured for SAML authentication.

  • Was this article helpful?