Securing SaaS Applications with Banyan

Protect SaaS Applications by enabling Device Trust via Banyan's Cloud Access Security Broker (CASB) solution

Updated on Apr 21, 2023

This article describes features that are only available in the Banyan Enterprise edition and Banyan Unlimited edition.

Overview

Banyan uses OpenID Connect Federation flows to intercept authentication requests between your Identity Provider and the SaaS application to enforce Device Trust policies. Banyan’s security mechanism is designed to be completely transparent to both the user and the SaaS application.

The flow diagram below describes how Banyan’s Zero Trust access control security mechanism works for SaaS applications. Review the Apply Device Policies on SaaS Applications quick start guide to see how to enable device-based access control policies on a SaaS application using Banyan’s Zero Trust security framework.

Access to SaaS Applications

SaaS Application Authentication Methods

Banyan supports two techniques to enable Zero Trust policy-based access controls for your SaaS applications:

Banyan Federated
- In this technique, the SaaS application is configured for SAML/OIDC authentication using Banyan’s TrustProvider component. Zero Trust policies can be defined for each individual SaaS application.
IDP Routed
- In this technique, the SaaS application is configured for SAML/OIDC authentication using your Identity Provider, and your Identity Provider is configured to federate to Banyan’s TrustProvider component. Zero Trust policies are defined for groups of SaaS applications via IDP Federation logic.

As indicated in the diagram below, the two techniques accomplish the same policy-based access objective by using slightly different authentication flows.

You can use one or both techniques to secure your SaaS applications. The table below lists a few key considerations to take into account when deploying each technique:

	Banyan Federated	IDP Routed
Works with SaaS applications that use SAML
Works with SaaS applications that use OIDC
Technique works with all IDPs		(Most IDPs)
Granular policies per SaaS application		(Okta-OIE only)
Passwordless authentication using device certificate
No change to SaaS application SSO configuration
Easy configuration for small number of SaaS applications (~10)
Easy configuration for large number of SaaS applications (10+)

Sections

Apply Device Policies on SaaS Apps

Banyan Federated

Okta

Secure Single SaaS Application

Okta IP Whitelisting

OneLogin

Azure AD

Azure AD IP Whitelisting

Can’t find what you’re looking for?

We’re happy to help. Contact our team .