Cloud single sign-on Cloud single sign-on (SSO) is the Web Gateway service that allows users in your organization to access cloud services and applications after providing credentials one time. The SSO service is implemented by the Single Sign On module. In the context of cloud single sign-on, unless otherwise noted, the following terms are used as described here: Service Provider — The organization that provides the cloud service or application Users — Members of your organization who seek access to cloud services and applications Using the launchpad provided by Web Gateway, users submit credentials, open applications, and manage their accounts in the applications. User interface — The Web Gateway interface where administrators configure the SSO service Cloud connector — The configuration that allows Web Gateway to connect to and provide identity and SSO services for an application or service in the cloud Predefined connector — Any cloud connector that comes fully configured with Web Gateway Custom connector — Any cloud connector configured from a template Web Gateway provides a range of connector templates. Some templates come with most, but not all, configuration built in. Other templates allow you to build cloud connectors from scratch. Note: The terms cloud service and cloud application are used interchangeably. How cloud single sign-on is configured At a high level, you configure cloud single-sign by adding predefined and custom cloud connectors to SSO Connector lists. You can then associate users with these lists through Web Gateway policies. Single Sign On rule set summaryYou configure and manage single sign-on through the Single Sign On rule set as well as related lists and settings. Considerations when exporting and importing the SSO rule set The SSO rule set export and import does not include the SSO credentials required for accessing HTTP cloud applications or the Service IDs of custom connectors. SSO process in proxy and non-proxy modes The steps in the SSO process depend on whether the user's credentials are submitted to the cloud application directly (non-proxy mode) or through Web Gateway (proxy or inline mode). Supported authentication methodsGenerally, each cloud service or application uses one authentication method to log on users. Providing SSO services for HTTP cloud applicationsWeb Gateway supports many cloud services and applications that use HTTP authentication to log on users with predefined cloud connectors or individual cloud connector templates. Providing SSO services for SAML 2.0 cloud applicationsWeb Gateway supports cloud services and applications that use SAML 2.0 authentication to log on users by providing cloud connector templates. SAML authentication using an external Identity ProviderTo support organizations that want users to authenticate using a trusted, external Identity Provider, Web Gateway performs the SAML Service Provider role. Providing SSO services for .NET and Java web applicationsUsing the Single Sign On rule set and the generic IceToken cloud connector template, you can configure single sign-on to any .NET or Java web application. Use this option when Web Gateway does not support the web application with a predefined connector or connector template. How users work with the application launchpad Using the application launchpad, users can open applications and select and manage application accounts. Customizing the application launchpad In the Web Gateway interface, you can specify a name and description for your organization, customize the look of the text, and import images of your organization and product logos. You can also customize the header, footer, and sidebar that frame the launchpad. Creating bookmarks to cloud services for your organization You can create bookmarks to cloud services or applications for users across your organization. Monitoring logons to cloud services on the dashboard On the dashboard in the user interface, you can view statistics about the number of logons to all cloud applications and services. Locate information about the latest SSO updates When working with the cloud single sign-on feature, you might want to know which version of the software and the catalog you are using. In the user interface, you can view the version number and date and time of the latest updates to the SSO feature or engine. SSO logging overview The SSO Log rule set generates the SSO access log, and optionally the SSO trace log, from information about SSO requests that the proxy stores in the SSO.LogAttributes property. Resolving SSO issues See the following table for SSO issues and ways to resolve them.