How to configure SAML and SCIM for two (or more) separate Cloud SWG tenants using the same IDP provider
search cancel

How to configure SAML and SCIM for two (or more) separate Cloud SWG tenants using the same IDP provider

book

Article ID: 382892

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

An existing SAML configuration exists between one Cloud SWG tenant and the associated IDP provider.

There is a need to configure an additional Cloud SWG tenant for this same customer using the same corporate Identity Provider for SAML authentication on original Cloud SWG tenant above.

When trying to configure a second Symantec Web Security Service application on the Microsoft Entra IDP side, an error is generated indicating that the Identifier (Entity ID) in the Cloud SWG metadata file is already in use by the ‘Symantec Web Security Service (WSS)’ application e.g. adding the Entity ID or Assertion Consumer Service URL parameters from the Cloud SWG SAML metadata returns:

"Please enter an identifier which is unique within your organization. Search in Enterprise applications and App registrations for Symantec Web Security Service (WSS), which currently uses this identifier."

How can a Cloud SWG admin integrate the same SAML IDP server for multiple domains?

Environment

Cloud SWG.

Multiple tenants for the same organisation.

SAML Authentication.

Cause

Cannot add the same Entity ID to two separate Symantec Web Security Service applications in the IDP configuration.

Resolution

To configure SAML and SCIM for an additional Cloud SWG tenant to use an existing SAML IDP that is already configured with another Cloud SWG tenant, the following can be applied: 

 For the SAML configuration: 

  1. Using the already configured Symantec Web Security Service application that exists currently in IDP, download the Metadata file from the configuration. For more information on the SAML configuration and exporting the Metadata file, please refer to the following for instructions specified for each Identity Provider:

    SAML Authentication and Cloud SWG

  2. Return to the Cloud SWG portal SAML configuration page (Identity > SAML Authentication) and expand the SAML Authentication section. 
  3.  Select Import Metadata and provide the metadata file from the Identify Provider.

(Alternatively, you can manually copy the values (Entity ID, Endpoint URL, etc), including the certificate, from an existing Cloud SWG tenant where SAML has already been configured)

 

For the SCIM Configuration: 

  1. In the Cloud SWG portal, navigate to Identity > SAML Authentication.
  2. Expand the SCIM Third-Party Users & Groups Sync area.
  3. Click Generate Integration Token.
  4. The portal generates a unique SCIM URL.

If SCIM has already been configured for one Cloud SWG tenant, the SCIM URL and token will have already been entered using the existing Symantec Web Security Service application in the identify provider configuration. There is no option in the application configuration for a second token and url to be entered for that same application. (For additional information on the SCIM configuration specific to each Identify Provider, please refer to the above linked documentation.)

In this case we need to configure a second Symantec Web Security Service application in the Identify Provider configuration. This second application will contain only the SCIM configuration (URL and token) associated with the additional Cloud SWG tenant. There is no need to configure the SAML portion for this application as we will run into the issue with the duplicate Entity IDs outlined in the issue of this article.

Once the SCIM configuration is complete, users and groups can be assigned to this new application. Keep in mind that it will be necessary to assign desired users and groups to both Symantec Web Security Service applications in the Identify provider configuration to ensure both successful SAML authentication as well as syncing the users/groups through SCIM.

When completed you will have two Symantec Web Security Service applications. The first will contain the original SAML configuration that will account for one or more Cloud SWG tenants. It may also include the SCIM configuration details for the first Cloud SWG tenant. The second application will contain the SCIM configuration for the second Cloud SWG tenant. 

If you have additional Cloud SWG tenants that you would like to configure with SAML and SCIM, you can follow the steps outlined in this document creating a new Symantec Web Security Service application in the Identity provider to contain each set of unique SCIM credentials for their corresponding Cloud SWG tenants.

Additional Information

The Cloud SWG SAML metadata is the same for all tenants, and cannot be imported into a SAML Identity provider multiple times as it is not unique.

For SAML authentication within Cloud SWG, the SAML IDP server can re-use the same Cloud SWG service provider configuration, as each Cloud SWG instance is expecting the same user/group information used for authentication and policy evaluation.

SCIM is not used for authentication, but to provision user/group information to Cloud SWG tenants. For this reason, additional Enterprise applications may be configured with dummy entries for SAML (Entity ID, Assertion consumer URL for example), or the fields can be left blank, as they will not be used. The only section of the application that will be used will be the SCI URL and token, which is unique to each and every Cloud SWG tenant. Adding these unique entries will make sure that users and groups are successfully synchronised from Microsoft Entr to Cloud SWG.

Powered by Wolken Software