Create an Application

Use this task to create a Grouped or Ungrouped Application.

Before you begin

  1. Create a Zero Trust Application Policy.

  2. Create an Application Group (required only for Grouped Applications).

Procedure

Step 1

Choose Policies > Access Control > Zero Trust Application

Step 2

Choose the policy.

Step 3

Click Add Application.

Step 4

In the Application Settings section, complete the following fields.

  • Application Name—Enter the application name.

  • External URL—Enter the URL that is used by the user to access the application.

  • Application URL—By default, the external URL is used as the Application URL. Uncheck the Use External URL as Application URL check box to specify a different URL.

    If the threat defense uses an internal DNS, then the Application URL must align with an entry within that DNS, to ensure resolution to the application.

  • Application Certificate—Choose the certificate for the private application. Click the Add (add icon) icon to configure an internal certificate object. For more information, see Adding Internal Certificate Objects.

  • Application Group—Choose the Application Group from the drop-down list. See Create an Application Group.

    Note

    This field is not applicable for an ungrouped application.

Step 5

Click Next.

Step 6

Based on the application type:

  • For a Grouped Application, the SAML Service Provider (SP) Metadata, SAML Identity Provider (IdP) Metadata , and Re-authentication Interval are inherited from the Application Group and do not need to be configured by the user.

  • For an Ungrouped Application, perform these steps:

    1. In the SAML Service Provider (SP) Metadata section, the data is dynamically generated. Copy the Entity ID or Assertion Consumer Service (ACS) URL of the IdP or click Download SP Metadata to download this data in XML format for adding it to the IdP. Click Next.

    2. In the SAML Identity Provider (IdP) Metadata section, add the metadata using any one of the methods:

      • XML File Upload—Choose a file or drag and drop the XML file.

        The details of the Entity ID, Single Sign-On URL, and IdP Certificate are displayed.

      • Manual Configuration—Perform these steps:

        • Entity ID—Enter the URL that is defined in the SAML IdP to identify a service provider uniquely.

        • Single Sign-On URL—Enter the URL for signing into the SAML identity provider server.

        • IdP Certificate—Choose the certificate of the IdP enrolled in threat defense to verify the messages signed by the IdP.

          Click the Add (add icon) icon to configure a new certificate enrollment object. For more information, see Add Certificate Enrollment.

      • Configure Later—In the event you do not have the IdP metadata, you can configure it later.

      Click Next.

    3. In the Re-authentication Interval section, enter the value in the Timeout Interval field and click Next. The reauthentication interval allows you to provide a value that determines when a user must authenticate again.

Step 7

In the Security Zones and Security Controls section, the security zones and threat settings are inherited from the parent policy or application group. You can override these settings. Click Next.

Step 8

Review the configuration summary. Click Edit to modify the details in any of the sections. Click Finish.

Step 9

Click Save.

The Application is listed on the Zero Trust Application page and is enabled by default.

What to do next

  1. Set Targeted Devices for Zero Trust Access Policy.

  2. Deploy configuration changes. See Deploy Configuration Changes in the Cisco Secure Firewall Management Center Administration Guide.