Cloud Secure Edge Docs
Secure SaaS Applications with IDP Federation
On This Page
Overview
SonicWall Cloud Secure Edge (CSE) uses OpenID Connect Federation flows to intercept authentication requests between your Identity Provider and the SaaS application to enforce Device Trust policies. CSE's security mechanism is designed to be completely transparent to both the user and the SaaS application.
The flow diagram below describes how CSE's zero-trust access control security mechanism works for SaaS applications. Review the Apply Device Policies on SaaS Applications quick start guide to see how to enable device-based access control policies on a SaaS application using CSE's zero-trust security framework.
CSE Federated and IDP Routed
IDP Federation can be implemented in two ways:
- CSE Federated
- In this technique, the SaaS application is configured for SAML/OIDC authentication using CSE's TrustProvider component. Zero-trust policies can be defined for each individual SaaS application.
- IDP Routed
- In this technique, the SaaS application is configured for SAML/OIDC authentication using your Identity Provider, and your Identity Provider is configured to federate to CSE's TrustProvider component. Zero Trust policies are defined for groups of SaaS applications via IDP Federation logic.
As indicated in the diagram below, the two techniques accomplish the same policy-based access objective by using slightly different authentication flows.
The table below lists a few key considerations to take into account when deploying each technique:
| CSE Federated | IDP Routed (only Okta & Azure AD) | |
|---|---|---|
| Works with SaaS applications that use SAML | ||
| Works with SaaS applications that use OIDC | ||
| Granular policies per SaaS application | ||
| Passwordless authentication using device certificate | ||
| No change to SaaS application SSO configuration | ||
| Easy configuration for small number of SaaS applications (~10) | ||
| Easy configuration for large number of SaaS applications (10+) |
