Components of a Zero Trust Access Configuration

A new configuration consists of a Zero Trust Application Policy, Application Group, and Applications.

  • Zero Trust Application Policy— Consists of application groups, and grouped or ungrouped applications. Security Zones and Security Controls settings are associated at a global level for all the ungrouped applications and group of applications.

    A global port pool is assigned to the policy, by default. A unique port is automatically assigned from this pool to each private application that is configured.

    Zero Trust Application policy consists of application groups, and grouped or ungrouped applications.

  • Application Groups—Consists of a logical group of applications that share SAML authentication settings and can optionally share Security Zones and Security Controls settings.

    Application Groups inherit the Security Zones and Security Controls settings from the global policy and can override the values.

    When an Application Group is created, the same SAML IdP configuration can be used for authenticating multiple applications. Applications that are part of an Application Group inherit the Application Group’s SAML configuration. This eliminates the need to configure the SAML settings for each application. After the Application Group is created, new applications can be added to it without configuring the IdP for it.

    When an end user tries to access an Application that is part of group, the user is authenticated to the Application Group for the first time. When the user tries to access other applications that are part of the same Application Group, the user is provided access without being redirected again to the IdP for authentication. This prevents overloading the IdP with requests for application access and optimizes the usage of the IdP if a limit is enabled.

  • Applications—There are two types:

    • Ungrouped Applications— Are standalone applications. SAML settings must be configured for every application. The applications inherit the Security Zones and Security Controls settings from the global policy and can be overridden by the application.

    • Grouped Applications— Are multiple applications that are grouped under an Application Group. The SAML settings are inherited from the Application Group and cannot be overridden. However, the Security Zones and Security Controls settings can be overridden for each application.

The following certificates are required for the configuration:

  • Identity Certificate—This certificate is used by threat defense to masquerade as the applications.Threat Defense behaves as a SAML Service Provider (SP). This certificate must be a wildcard or Subject Alternative Name (SAN) certificate that matches the FQDN of the private applications. It is a common certificate for all applications protected by threat defense.

  • IdP Certificate—The IdP provides a certificate for each defined Application or Application Group. This certificate must be configured so that threat defense can verify the IDP’s signature on incoming SAML assertions.

    Note

    IdP certificates are commonly included within the metadata file; otherwise, users are required to have the IdP certificate readily available during the configuration of applications.

  • Application Certificate—The encrypted traffic from user to the application is decrypted by threat defense using this certificate for the purpose of inspection.

    Note

    This certificate is required to verify the cookies in the header to authorize connections, even if we are not conducting an IPS/Malware inspection.