Identity Provider [IdP] Integration - Generic [ABS]

This section describes how to configure a new "generic" identity provider. The instructions in this section apply to all identity providers - and not just to one specific provider. The instructions therefore include various non-specific options and terminology.

• For general information about configuring identity providers, see Identity Provider [IdP] Integration - SSO [ABS].

• For details on how to configure Entra ID as an identity provider, see Identity Provider [IdP] Integration - Entra ID [ABS].

• For details on how to configure Okta as an identity provider, see Identity Provider [IdP] Integration - Okta [ABS].

This procedure includes the following steps:

• Identity Provider [IdP] Integration - Generic [ABS]
  • Step 1: Configure your identity provider
  • Step 2: Configure SAML integration
  • Step 3: Configure the attribute mapping [optional]
  • Step 4: Assign a default assignment rule
  • Step 5: Completing the configuration

To configure a new identity provider [generic]:

1. In the Advanced Browser Security console, open the Settings > Identity provider integration page.

2. If no identity provider has been configured, click Configure identity provider. The first step of the wizard opens.

   

Step 1: Configure your identity provider

In this step, you'll give a name to the integration, and then copy configuration details from the Advanced Browser Security console to your identity provider.

1. Enter a name for the provider integration, for example, "Acme"

2. In your identity provider, create a new application, and give it a name, such as "Browser Extension."

3. In your identity provider, set up single sign-on.

   1. In the Advanced Browser Security console, click the copy icon to copy the "Entity ID (Identifier)" to the clipboard.

      

   2. In your identity provider, paste the clipboard contents into the corresponding "Identifier (Entity ID)" field.

   3. In the Advanced Browser Security console, click the copy icon to copy the "Reply URL (Assertion Consumer Service URL)" to the clipboard.

      

   4. In your identity provider, paste the clipboard contents into the corresponding "Reply URL (Assertion Consumer Service URL)" field.

4. In the Advanced Browser Security console, click Next.
   Step 2 - Configure SAML integration - opens.

Step 2: Configure SAML integration

In this step, you'll copy configuration details from your identity provider to the Advanced Browser Security console. The configuration details are typically contained in a metadata .xml file. A metadata .xml file is created by your identity provider when you add the new SAML integration. This file contains information about the IdP that enables Advanced Browser Security to accept SAML assertions from the IdP. The metadata .xml file can be stored either locally in the Advanced Browser Security console, or at a specified URL [which is the recommended option for non-on-premise IdPs].

1. For XML data or .xml files at a specific URL [the recommended option]:

   1. In your identity provider, copy the "App Federation Metadata Url" data to the clipboard.

   2. If your IdP doesn't include the HTTP-Redirect binding, then enable HTTP-Redirect binding in the SSO definitions in the IdP. For example, in JumpCloud, select the "Declare Redirect Endpoint" check box.

   3. In the Advanced Browser Security console, paste the clipboard contents into the "Metadata XML document URL" field.

      

2. For locally stored .xml files:
   [This option may be required for integrating with Google Workspace.]

   1. If your IdP doesn't include the HTTP-Redirect binding, then enable HTTP-Redirect binding in the SSO definitions in the IdP. For example, in JumpCloud, select the "Declare Redirect Endpoint" check box.

   2. Drag-and-drop the .xml file, or click Or choose file and then locate and specify the required .xml file.

3. In the Domain identifiers field, enter the domain identifiers - i.e., the domains of the users that use this identity provider to sign-in.

   

4. In the Advanced Browser Security console, click Next.
   Step 3 - Configure attribute mappings - opens.

Step 3: Configure the attribute mapping [optional]

In this step, you will configure the attribute mappings between Advanced Browser Security and the identity provider. You'll need to perform this step only if you'll be assigning policies to users based on their user attributes.

Note: You can specify a maximum of 20 attributes that can be used in your policy assignment rules.

Note The instructions in this section apply to all identity providers - and not just to one specific provider. The instructions therefore include various non-specific options, and terminology such as "or something similar." For application-specific instructions, see: Identity Provider [IdP] Integration - Entra ID [ABS] Identity Provider [IdP] Integration - Okta [ABS]

Example - to map the user's department:

1. In your identity provider, locate the claim that contains the user's department.

   1. In the identity provider, look for Enterprise Application Configuration or Application Configuration or ABS configuration, or something similar - and then enter into that menu.

   2. Proceed to General or SSO, or something similar.

   3. Proceed to Attribute mapping, or something similar.

   4. Search for the required claim, for example, "department". If you do not find the required claim, create a new one.
      We recommended using only lower-case letters for the name of the new claim.

   5. After the claim is identified or created, its value should be set:

      1. The identity provider GUI may suggest a value, for example "department". The preferred method is to use this suggested value.

      2. If such a value is not available, open a random user-profile and look for the required field. Its name (not value) is the value that is needed.

2. In the Advanced Browser Security console - Step 3 - Configure attribute mappings, click Add new attribute.

3. Enter "Department" as the attribute name, and "department" as the SAML claim

4. Click Next. Step 4 - Default assignment rules - opens.

Step 4: Assign a default assignment rule

In this step, you will specify a policy that will be assigned to all new endpoint users.

1. In the Advanced Browser Security console, select the policy that will be assigned to new endpoint users.

   

2. Click Create integration.

Step 5: Completing the configuration

You must now configure the users and groups for the application in your identity provider. You can either add specific users to Advanced Browser Security, or you can allow all users in the external identity provider to use the extension.

Note Some organizations use conditional access in their identity providers to restrict access to applications from only those devices that meet specific requirements. In certain circumstances, it is necessary to bypass these restrictions to enable access to the extension. For details, see Identity Provider Integration - Bypassing Conditional Access [ABS].

• For details on how to add endpoint users using the Advanced Browser Security console, see Managing Endpoint Users. This enables you to assign a specific non-default policy to the new users before they first sign-in.

See also: 

• Identity Provider [IdP] Integration - SSO [ABS]