The article describes steps to implement SAML user authentication for browsing on Web Isolation and Entra (Azure) tenants.

Cloud WI 1.16.X

         Web Isolation:

1. User Management -> SAML Identity Providers
   Create a "New SAML Identity Provider".
   Fill in the "Name" and leave “Use LDAP to autocomplete Access Role member” unchecked.
   Click the "Create" button and Push Settings.
   
   
2. User Management -> SAML Trusts
   Create the New SAML Trust.
   Set the created SAML Identity Provider in the “Identity Provider” drop-down menu.
   IdP Type set to “Microsoft AD FS”, mark “Fill in IdP details later” check box
   Copy all text in “Service Provider Details -> “Show Metadata” to a text file for future reference and click on the “Create” button.
   In the pop-up window “Does Identity Provider Support Importing A Metadata File?” leave "Yes". Click on the “Export” button. Download “symantec_threat_isolation_metadata.xml” to the local machine.
   Push Settings.
   
   Microsoft Entra (Azure):
   
   
3. Applications -> Enterprise applications -> All applications 
   
   
   • Click "New Application", and "Create your own application" in the next view.
     Choose "Integrate any other application you don't find in the gallery (Non-gallery)" and put a name in the "Create your own application" section.
     
     
   • Assign users and groups to the application.
     Also, add your Entra account that you use for the configuration, it will be needed for a test later.
     
     
   • Set up single sign-on "Manage" -> "Single sign-on", choose "SAML".
     In the "SAML-based Sign-on" view click "Upload metadata file".
     Check if the "Basic SAML Configuration" is filled in properly as per the Metadata from step 2.
     Add URL with "/samlcallback" for "Sign on URL" and "Relay State"
     
     Identifier (Entity ID)                                                    https://support-<myInstanceName>.prod.fire.glass/samlcallback
     Reply URL (Assertion Consumer Service URL)        https://support-<myInstanceName>.prod.fire.glass/samlcallback
     Sign on URL (Optional)                                             https://support-<myInstanceName>.prod.fire.glass/samlcallback
     Relay State (Optional)                                               https://support-<myInstanceName>.prod.fire.glass/samlcallback
     Logout Url (Optional)                                                 https://support-<myInstanceName>.prod.fire.glass/samllogoutcallback
     
     
   • Click "Download" Federation Metadata XML in the "3 SAML Certificates" section and save it on your PC.
   
   Web Isolation:
   
   
4. User Management -> SAML Trusts
   Edit your SAML Trust, and click "Import in the "IdP Details" section, use the last xml from Microsoft Entra.
   All field of the "IdP Details" section should be filled in after this.
   Click the "Update" button and Push Settings.
   
   
5. System Configuration -> Gateways
   Edit each TIE gateway, and specify the newly created SAML Trust for the “SAML Authentication” Settings.
   Click the "Update" button and Push Settings.
   
   
6. Policies -> All Policies
   
   
   • Click edit “My Policy”, check “Use Authentication” in the "Authentication Settings" section, and use Mode "Server" and Profile "SAML Authentication”.
     Click the "Update" button.
     
     
   • Add a new rule at the top to “PASS” any user (including unauthenticated users) toward “login.microsoftonline.com” and "aadcdn.msftauth.net".
     
     
   • Add a new rule to authenticate users, setting the “Identity Provider” as the newly created SAML and as user the newly added user email address.
     Paste the email address, select “user” and add her/him to the members list.
     Click the "Update" button and Push Settings.

To Implement SAML Management Users authentication on Web Isolation with Microsoft Entra (Azure) check KB377427