Online Help

SafeNet Trusted Access for BlueCoat ProxySG

Overview

Configuring SafeNet Trusted Access for BlueCoat ProxySG is a three-step process:

1.BlueCoat ProxySG setup

2.SafeNet Trusted Access setup

3.Verify Authentication

BlueCoat ProxySG Setup

As a prerequisite, download the Identity Provider certificate from the SafeNet Trusted Access Console by clicking the Download X.509 Certificate button. You will need this certificate in one of the steps mentioned below.

Perform the following steps to configure SafeNet Trusted Access as your Identity Provider in BlueCoat ProxySG:

1. Log in to BlueCoat ProxySG application as an administrator using the following URL: http://<IP Address or FQDN of BlueCoat ProxySG Appliance>:<Port number>

2.In the BlueCoat ProxySG Management Console window, under Configuration tab, in the left, click Authentication > SAML.

3.In the right, on the SAML Realms tab, click New.

4.In the Add SAML Realm window, perform the following steps:

a.In the Realm name field, enter a valid name for the new SAML realm (for example, Identity Service).

b.In the Federated IDP CCL field, select the browser-trusted CCL.

c.In the Virtual host field, enter the hostname for the SAML endpoint (for example, https://virtualhost.com).

d.Click Ok.
The Identity Service SAML realm appear listed.

5.Click Apply.

6.The message Changes were committed to the SG successfully is displayed. Click OK.

7.Select the newly created SAML realm (for example, Identity Service), and click Edit.

8.In the Edit SAML Realm window, perform the following steps:

a.In the Federated IDP entity ID field, enter the Issuer/Entity ID URL, provided on the SafeNet Trusted Access Console.

b.In the Federated IDP POST URL field, enter the SingleSignOnService URL, provided on the SafeNet Trusted Access Console.

c.In the Federated IDP Redirect URL field, enter the SingleSignOnService URL, provided on the SafeNet Trusted Access Console.

d.Click Ok.

9.Click Apply.

10.The message Changes were committed to the SG successfully is displayed. Click OK.

Configuring CA Certificate List

The BlueCoat ProxySG application's CA Certificate List (CCL) must contain signing certificates of IdP.

Importing Identity Provider Certificate

1.In the Blue Coat Management Console window, click the Configuration tab, and in the left, click SSL > CA Certificates.

2.In the right, on the CA Certificates tab, click Import.

3.In the Import CA Certificate window, perform the following steps:

a.In the CA Cert Name field, enter a certificate name (for example, IDP).

b.Open the IDP certificate, you download earlier from SafeNet Trusted Access Console in Notepad, and copy the entire text.

c.In the CA Certificate PEM field, paste the entire text of the IDP certificate.

d.Click Ok.

4.Click Apply.

5.The message Changes were committed to the SG successfully is displayed. Click OK.

Creating CA Certificate List

1.In the Blue Coat Management Console window, click the Configuration tab, and in the left, click SSL > CA Certificates.

2.In the right, on the CA Certificate Lists tab, select browser-trusted, and click Edit.

3.In the Edit CA Certificate List window, perform the following steps:

a.In the certificate list on the left, select the imported IDP certificate (for example, IDP).

b.Click Add >> to move the selected certificate to the certificate list on the right.

c.Click Ok.

Configuring Authentication Policy

After configuring an authentication realm, you need to configure a policy on the BlueCoat ProxySG application to authenticate, log, and control user access to the web server.

The below mentioned sections, broadly explain setting up rules to authenticate users, restricting access for specific users and groups, and denying all other access to the web server.

Creating Web Authentication Layer

1.In the Blue Coat Management Console window, click the Configuration tab, and in the left, click Policy > Visual Policy Manager.

2.In the right, click Launch.

3.In the Blue Coat Visual Policy Manager window, click Policy > Add Web Authentication Layer.

4.In the Add New Layer window, in the Layer Name field, enter a descriptive name for the Web Authentication Layer, and click OK.

5.Right-click the Action column of the default rule, and select Set.

6.In the Set Action Object window, click New > Authenticate.

7.In the Add Authenticate Object window, perform the following steps:

a.In the Name field, enter the name of Authenticate Object (for example, Authenticate).

b.In the Realm field, select the SAML realm, you created (for example, Identity Service).

c.In the Mode field, select Auto.
The application automatically determines the mode.

d.Click Ok.

8.In the Set Action Object window, click OK.

Creating Web Access Rule

Create a policy rule that enables BlueCoat ProxySG application to grant users access to the network.

1.In the Blue Coat Management Console window, click the Configuration tab, and in the left, click Policy > Visual Policy Manager.

2.In the right, click Launch.

3.In the Blue Coat Visual Policy Manager window, click Policy > Add Web Access Layer.

4.In the Add New Layer window, in the Layer Name field, enter a descriptive name for the Web Access Layer, and click OK.

5.Right-click the Source column of the default rule, and select Set.

6.In the Set Source Object window, select Authenticated User (from the listed options), and click OK.

7.Right-click the Action column of the default rule, and select Allow.
The color of the icon in the Action column changes from red to green.

8.Click Install policy.

9.The message Policy installation was successful is displayed. Click OK.

10.Click Apply.

11.The message Changes were committed to the SG successfully is displayed. Click OK.

Obtaining Metadata Information

You can export the BlueCoat ProxySG metadata from:

https://<IP Address or FQDN of BlueCoat Management Console>:8082/saml/metadata/<realm-name>/sp

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in BlueCoat ProxySG, the second step is to activate the BlueCoat ProxySG application in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, you will notice that the BlueCoat ProxySG application, you added earlier is currently inactive state by default. To configure and activate this application, click the application (for example, BlueCoat ProxySG) and proceed to the next step.

2.Under STA Setup, click Upload BlueCoat ProxySG Metadata.

3.In the Metadata upload window, click Browse to search and select BlueCoat ProxySG metadata, you obtained earlier in Obtaining Metadata Information section.

4.Under User Portal Settings, in the SERVICE LOGIN URL field, enter the bluecoat virtualhost login URL (for example, https://virtualhost.com), hosted on Bluecoat ProxySG.

5.Under Account Details, service provider metadata information is displayed.

6.Click Save Configuration to save the details and activate the BlueCoat ProxySG application in SafeNet Trusted Access.

Verify Authentication

Using STA Console

Navigate to the BlueCoat ProxySG virtual host URL, https://<virtualhost>. Here, <virtualhost> is the virtual hostname or IPAddress, you configured earlier. You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the protected resources after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click on the BlueCoat ProxySG application icon, you should be redirected to the protected resources after authentication.

© 2018 SafeNet Trusted Access. Various trademarks held by their respective owners.