Configuring Single Sign-On

Before you begin configuring single sign-on on the Cloud App Security management console, make sure that:

  • You have provisioned an Exchange Online, SharePoint Online, or OneDrive service account. For details, see Provisioning Office 365 Services.

  • You are logged on to the management console as a Cloud App Security global administrator.

  1. Go to Administration > Single Sign-On.

    The Single Sign-On screen appears.

  2. Configure the general settings for single sign-on.
    1. Select Enable SSO.
    2. Select the identity provider in Identity Provider.
    3. Specify the service URL you recorded when configuring the identity provider.

      Identity Provider

      Service URL

      Azure AD

      Azure AD Premium edition: Login URL

      Note:

      Cloud App Security no longer supports SSO configuration for the Azure AD Free or Basic edition for security reasons.

      AD FS

      https://example.com/adfs/ls

      Okta

      Identity Provider Single Sign-On URL

      Google Workspace

      https://accounts.google.com/o/saml2/initsso?idpid=example1&spid=example2&forceauthn=false

      Note:

      Replace the variables example1 and example2 in the URL.

      PingOne

      Initiate Single Sign-On URL

    4. Specify the application identifier you recorded when configuring the identity provider.

      Identity Provider

      Application Identifier

      Azure AD

      Azure AD Premium edition: Application ID

      Note:

      Cloud App Security no longer supports SSO configuration for the Azure AD Free or Basic edition for security reasons.

      AD FS

      Relying party trust identifier

      Okta

      Identity Provider Issuer

      Google Workspace

      Entity ID

      PingOne

      Issuer ID

    5. Locate the Base-64 encoded X.509 certificate file you recorded in Okta or Google Workspace, downloaded in Azure AD or PingOne configuration, or exported in AD FS configuration, and then copy and paste the content in the text box.
      Note:

      This field is required for security reasons. Since the Azure AD Free and Basic editions do not support certificates, you are unable to configure SSO for the two editions in Cloud App Security.

  3. Click Save.
    Note:

    After configuring SSO settings, administrators added from your AD infrastructure, Okta organization, Google Workspace, or PingOne can use their AD, Okta, Google Workspace, or PingOne account credentials to single sign on to the management console. For details about how to add a user as an administrator, see Administrator and Role.