Appendix

Reverse Proxy configuration: This configuration is not suggested for PoCs or new admins. The forward proxy will cover most use cases and do so more effectively. In Reverse Proxy mode, Lookout will insert itself into the communication flow as a “Man In The Middle”, taking over after the user reaches out directly to the resource (in the return path of communication).

SAML Integration between Lookout (as IdP) and SaaS Application (as SP)

1.Create new SSO Group: Enterprise Integration > Single Sign-On > SSO Groups

2.Download Lookout’s IdP Metadata for the new SSO Group created

3.Configure SaaS App as SAML SP in Lookout: Enterprise Integration > Single Sign-On > SSO Providers

4.Select Type as Cloud Service Provider and configured SSO Group

5.Select Application and Upload SP Metadata file and Validate

6.Configure Lookout as IdP in SaaS app

•This will differ based on the SaaS Application being integrated

SAML Integration between ZTA (as IdP) and Lookout (as SP)

1.Navigate back to the new SSO Group created in the last section

2.Download Lookout’s SP Metadata

3.Configure SaaS App as SAML SP in Lookout: Enterprise Integration > Single Sign-On > SSO Providers

4.Select Type as Cloud Service Provider and configured SSO Group

5.Select Application and Upload SP Metadata file and Validate

6.Configure Lookout as IdP in SaaS app

•This will differ based on the SaaS Application being integrated

Identity Proxy Routing

1.Configure Identity Proxy Routing: Administration > Enterprise Integration > Single Sign-On > Identity Proxy Routing

2.Create New Routing Policy

3.Select SSO Group created previously

4.Ivanti NZTA IdP & Cloud Service Provider

5.Associate to create a new routing policy

Configure NZTA as SAML IdP for Proxy Auth

1.Configure NZTA as SAML IdP in Lookout: Enterprise Integration > Single Sign-On > SSO Providers

2.Upload NZTA Metadata file and Validate

3.Configure Lookout as Service Provider in IdP

4.Download Lookout SP Metadata: Enterprise Integration -> Single Sign-On -> SSO Providers

5.Upload SP metadata in NZTA Controller (IdP)

•Add mail & email attributes

•Attribute: subject_name_format, Value: other

•Attribute: mail, Value: <username>

•Attribute: email, Value: <username>

6.Enable Proxy Auth: Administration > System Settings > Enterprise Authentication