IDP Routed SaaS Applications

Use federation capabilities in your Identity Provider to enforce Banyan Policies on your SaaS applications

This topic details how your IdP(Okta and OneLogin) can route to Banyan to provide continuous evaluation to your SaaS apps using SAML2.0 and/or OIDC. Some may know this capability as IdP Routing Rules in Okta or Trusted IdP in OneLogin. While the names may be different depending on your IdP of record, the capabilities rely on the same principle of traffic first starting with the IdP. In the IDP-first technique (displayed in the Banyan Command Center as IDP Routed), the SaaS Application is configured for SAML/OIDC authentication using your Identity Provider and your Identity Provider is configured to federate to Banyan TrustProvider. Zero Trust policies are defined for groups of SaaS applications via IDP Federation logic.You can also configure Banyan Federated authentication (SAML or OIDC) to secure your SaaS apps.

For IDP-specific steps, please refer to our guides for Okta and OneLogin.

How It Works

The diagram below provides a conceptual overview of how you can use Banyan via Identity Federation for Device Policies on SaaS Apps.

In the Normal Single-Sign-On flow, your SaaS Application redirects to your Identity Provider to authenticate the user.

In the IDP-first authentication flow, you configure your Identity Provider to federate authentication requests to Banyan’s TrustProvider component. Banyan TrustProvider federates right back to your Identity Provider for user authentication but, because Banyan is now in the authentication flow, it is able to enforce Zero Trust security policy.

The step-by-step flow is detailed in the diagram below:

Setup

This section outlines the general steps to set up federation. For IDP-specific steps, please refer to our guides for Okta and OneLogin.

At a high level, setting up IDP-federation with your Identity Provider is a simple, four-step process:

  1. In the Banyan Command Center, create a Policy to manage access to SaaS Apps
  2. In the Banyan Command Center, register the IDP Routed SaaS App
  3. In your Identity Provider, create an External OpenID Connect IDP called “Banyan Policy Engine”
  4. In your IDP, add a Routing Rule called “Banyan Policy Engine Routing”
  5. Test the SaaS App

Pre-requisites

Before proceeding through the Setup sections below, please ensure you have:

  • Administrative access to your Identity Provider
  • The ability to add an external Identity Provider called “Banyan Policy Engine”
  • The ability to add a new application integration to your Identity Provider called “Banyan DeviceRegistrationProvider”
  • Integrated Banyan with your Identity Provider to create a directory of users that can access your Services

1. In the Banyan Command Center, Create a Policy to Manage Access to SaaS Apps

Navigate to Secure Access > Policies > + Create Policy and create a new Policy using the template Basic Authorization Policy for Users.

Name the policy federated-saas and be sure to select the option that specifies this policy is intended for Web Service for Users.

Also set the policy attributes for minimal controls:

  • allow access from user principals with ANY role
  • do not set a Trust Level requirement

2. In the Banyan Command Center, Register the IDP Routed SaaS App

Navigate to Manage Services > SaaS Applications > + PUBLISH SAAS APPLICATION.

Select IDP Routed for your IdP to route to Banyan

Name the SaaS App federated-saas-app, and edit your IDP’s redirect URL (if required).

Attach the federated-saas-app policy we had previously created and set enforcement mode to Enforcing.

Once you have created this IDP Routed App in the Banyan Command Center, the next screen will give you the details you need to set up your IDP to use Banyan to enforce your policies.

3. In your IDP, create an External OpenID Connect IDP called “Banyan Policy Engine”

Create an external OIDC IDP and name it Banyan Policy Engine. Then, enter the config field values you obtained in Step 2 above.

4. In your IDP, add a Routing Rule called “Banyan Policy Engine Routing”

Add a Routing Rule called Banyan Policy Engine Routing, and select the SaaS applications registered with your Identity Provider that you wish to secure with Banyan Policies. Authentication requests from the selected SaaS applications will get routed to the Banyan Policy Engine IDP you just created in Step 3.

5. Test the SaaS App

Use a private/incognito browser window to navigate to the URL of the SaaS App you set up. You’ll see the request being redirected to Banyan TrustProvider and your security policies being enforced.


Now, all authentication traffic for your SaaS App is routed to Banyan TrustProvider for policy enforcement.

Last modified: Jul 22, 2021