Views:
Before you begin configuring single sign-on on the Cloud App Security management console, make sure that:
  • You have granted Cloud App Security access to Exchange Online, SharePoint Online, or OneDrive. For details, see Granting access to Microsoft 365 services.
  • You are logged on to the management console as a Cloud App Security global administrator.

Procedure

  1. Go to AdministrationSingle Sign-On.
    The Single Sign-On screen appears.
  2. Configure the general settings for single sign-on.
    1. Select Enable SSO.
    2. Select the identity provider in Identity Provider.
    3. Specify the service URL you recorded when configuring the identity provider.
      Identity Provider
      Service URL
      Microsoft Entra ID
      Microsoft Entra ID Premium edition: Login URL
      Note
      Note
      Cloud App Security no longer supports SSO configuration for the Azure AD Free or Basic edition for security reasons.
      AD FS
      https://example.com/adfs/ls
      Okta
      Identity Provider Single Sign-On URL
      Google Workspace
      https://accounts.google.com/o/saml2/initsso?idpid=example1&spid=example2&forceauthn=false
      Note
      Note
      Replace the variables example1 and example2 in the URL.
      PingOne
      Initiate Single Sign-On URL
    4. Specify the application identifier you recorded when configuring the identity provider.
      Identity Provider
      Application Identifier
      Microsoft Entra ID
      Microsoft Entra ID Premium edition: Application ID
      Note
      Note
      Cloud App Security no longer supports SSO configuration for the Azure AD Free or Basic edition for security reasons.
      AD FS
      Relying party trust identifier
      Okta
      Identity Provider Issuer
      Google Workspace
      Entity ID
      PingOne
      Issuer ID
    5. Locate the Base-64 encoded X.509 certificate file you recorded in Okta or Google Workspace, downloaded in Microsoft Entra ID or PingOne configuration, or exported in AD FS configuration, and then copy and paste the content in the text box.
      Note
      Note
      This field is required for security reasons. Since the Microsoft Entra ID Free and Basic editions do not support certificates, you are unable to configure SSO for the two editions in Cloud App Security.
  3. Click Save.
    Note
    Note
    After configuring SSO settings, administrators added from your AD infrastructure, Okta organization, Google Workspace, or PingOne can use their AD, Okta, Google Workspace, or PingOne account credentials to single sign on to the management console.