Configure an SSO policy in SASE - Secure Access Service Edge

If you want to use the single sign-on (SSO) feature provided by Secure Access Service Edge (SASE), you must configure an SSO policy in SASE. When a user logs on to an application portal, you can authenticate the user by using SASE identity provider (IdP). This topic describes how to configure a SASE SSO policy.

Prerequisites

The redirect URL of your office application is obtained.

Create a policy

Log on to the SASE console.
In the left-side navigation pane, choose Identity Authentication and Management > Single Sign-on.
On the Single Sign-on page, click Create Policy.

In the Create Policy panel, configure the parameters. The following table describes the parameters.

Parameter	Description
Policy Name	The name of the policy. The name must be 2 to 100 characters in length and can contain letters, digits, hyphens (-), and underscores (_).
Policy Status	The status of the policy. You can configure this parameter based on your business requirements. Valid values: Enabled: The policy takes effect only when the policy is enabled. Disabled: You can disable the policy and re-enable the policy later. Important If you turn off Policy Status, SSO fails. Proceed with caution.
API access authorization	Configure the client_id and client_secret parameters. Before you can use SSO, you must enable API access. You must configure the client_id and client_secret parameters for API authorization. Important Keep the client secret confidential. If the client secret is leaked, delete the client secret and create another client secret for rotation.
Redirect URL	The redirect URL. You must set this parameter to the value of the redirect_uri parameter in the URL of an office application. This adds the URL to a whitelist and allows SASE to initiate a logon request after authentication.
Application Configuration	The application configuration information that is specified by the following parameters: Issuer, Discovery Endpoint, Authorization Endpoint, Token Endpoint, Public Key Endpoint, and UserInfo Endpoint. When you connect to an IdP, you must configure the preceding parameters.

Click OK.
The new policy is displayed in the policy list.

What to do next

After you create an SSO policy in SASE, you must complete the required configuration in the IdP into which your office application is integrated. The configuration varies based on the IdP that you use.

After the configuration is complete, users can log on to the SASE client to access office applications. For more information, see Install and log on to the SASE client.

If you want to control the access permissions of users, you can use the private access feature. For more information, see Add an office application to SASE.

Modify and delete a policy

You can perform the following operations based on your business requirements:

Modify a policy: Find the policy that you want to modify and click Edit in the Actions column. In the Edit panel, view the policy information or modify the configuration.
Delete a policy: Find the policy that you want to delete and click Delete in the Actions column.
Important
After the policy is deleted, users cannot access office applications. Proceed with caution.

References

For more information about how to use the SASE client, see Install and log on to the SASE client and Enable or disable network protection for private access.
For more information about the private access feature, including the configurations of networks and office applications, see Configure network settings and Add an office application to SASE.