Use federation capabilities in your Identity Provider to enforce Banyan Policies on your SaaS applications
This topic details how your IdP(Okta and OneLogin) can route to Banyan to provide continuous evaluation to your SaaS apps using SAML2.0 and/or OIDC. Some may know this capability as IdP Routing Rules in Okta or Trusted IdP in OneLogin. While the names may be different depending on your IdP of record, the capabilities rely on the same principle of traffic first starting with the IdP. In the IDP-first technique (displayed in the Banyan Command Center as IDP Routed), the SaaS Application is configured for SAML/OIDC authentication using your Identity Provider and your Identity Provider is configured to federate to Banyan TrustProvider. Zero Trust policies are defined for groups of SaaS applications via IDP Federation logic.You can also configure Banyan Federated authentication (SAML or OIDC) to secure your SaaS apps.
The diagram below provides a conceptual overview of how you can use Banyan via Identity Federation for Device Policies on SaaS Apps.
In the Normal Single-Sign-On flow, your SaaS Application redirects to your Identity Provider to authenticate the user.
In the IDP-first authentication flow, you configure your Identity Provider to federate authentication requests to Banyan’s TrustProvider component. Banyan TrustProvider federates right back to your Identity Provider for user authentication but, because Banyan is now in the authentication flow, it is able to enforce Zero Trust security policy.
The step-by-step flow is detailed in the diagram below:
At a high level, setting up IDP-federation with your Identity Provider is a simple, four-step process:
Before proceeding through the Setup sections below, please ensure you have:
Navigate to Secure Access > Policies > + Create Policy and create a new Policy using the template Basic Authorization Policy for Users.
Name the policy
federated-saas and be sure to select the option that specifies this policy is intended for
Web Service for Users.
Also set the policy attributes for minimal controls:
Navigate to Manage Services > SaaS Applications > + PUBLISH SAAS APPLICATION.
IDP Routed for your IdP to route to Banyan
Name the SaaS App
federated-saas-app, and edit your IDP’s redirect URL (if required).
federated-saas-app policy we had previously created and set enforcement mode to
Once you have created this IDP Routed App in the Banyan Command Center, the next screen will give you the details you need to set up your IDP to use Banyan to enforce your policies.
Create an external OIDC IDP and name it Banyan Policy Engine. Then, enter the config field values you obtained in Step 2 above.
Add a Routing Rule called Banyan Policy Engine Routing, and select the SaaS applications registered with your Identity Provider that you wish to secure with Banyan Policies. Authentication requests from the selected SaaS applications will get routed to the Banyan Policy Engine IDP you just created in Step 3.
Use a private/incognito browser window to navigate to the URL of the SaaS App you set up. You’ll see the request being redirected to Banyan TrustProvider and your security policies being enforced.
Now, all authentication traffic for your SaaS App is routed to Banyan TrustProvider for policy enforcement.