All Products
Search

This Product

    Secure Access Service Edge:Configure a SASE SSO policy

    Document Center

    Secure Access Service Edge:Configure a SASE SSO policy

    Last Updated:Mar 31, 2026

    Configure a single sign-on (SSO) policy in Secure Access Service Edge (SASE) to authenticate users through the SASE identity provider (IdP) when they access your application portal.

    Prerequisites

    Before you begin, ensure that you have:

    • The redirect URL of your office application

    Create a policy

    1. Log on to the SASE console.

    2. In the left-side navigation pane, choose Identity Authentication and Management > Single Sign-on.

    3. On the Single Sign-on page, click Create Policy.

    4. In the Create Policy panel, configure the following parameters.

      ParameterDescription
      Policy NameThe name of the policy. Must be 2–100 characters and can contain letters, digits, hyphens (-), and underscores (_).
      Policy StatusThe status of the policy. Set to Enabled to activate the policy, or Disabled to deactivate it temporarily.
      Important

      Disabling the policy causes SSO to fail. Proceed with caution.

      API access authorizationThe client_id and client_secret values for API authorization. You must enable API access before SSO can work.
      Important

      Keep the client secret confidential. If it is leaked, delete it and create a new one for rotation.

      Redirect URLThe redirect URL of your office application. Set this to the value of the redirect_uri parameter in your application's URL. SASE adds this URL to a whitelist and uses it to initiate logon requests after authentication.
      Application ConfigurationThe application configuration information specified by the following parameters: Issuer, Discovery Endpoint, Authorization Endpoint, Token Endpoint, Public Key Endpoint, and UserInfo Endpoint. When you connect to an IdP, you must configure these parameters.

    5. Click OK.

      The new policy appears in the policy list.

    What's next

    After creating an SSO policy, complete the required configuration in the IdP that your office application uses. The configuration varies based on the IdP that you use.

    After the configuration is complete, users can log on to the SASE client to access office applications. For details on the SASE client, see Install and log on to the SASE client.

    To control which users can access specific applications, use the private access feature. For details, see Add an office application to SASE.

    Manage policies

    OperationSteps
    Modify a policyFind the policy and click Edit in the Actions column. View or update the configuration in the Edit panel.
    Delete a policyFind the policy and click Delete in the Actions column.
    Important

    Deleting a policy prevents users from accessing office applications. Proceed with caution.

    Related topics