Skip to main content

Mission: Onboarding SaaS Applications

Rohit Kalbag
Updated
Abstract

Securing SaaS (Software-as-a-Service) applications like Salesforce, Microsoft 365, or Slack involves more than just identity; it requires ensuring that traffic originates from a trusted source.

Overview

A Cipherscale SaaS Application represents the fully qualified domain name (FQDN), IPv4, IPv6 address, or subnet of a public SaaS application, such as salesforce.com or zendesk.com.

The primary purpose of defining a SaaS application in Cipherscale is to isolate the public application from the general internet. This is accomplished through a process called "IP Pinning" or allowlisting, where you configure the SaaS provider to only accept login sessions and traffic that originate from your specific Cipherscale Gateway IP addresses. Once configured, a self-hosted Cipherscale Gateway securely brokers access to the application for your users. By forcing all traffic to the SaaS application through these Gateways, organizations can ensure that:

"Off-network" access is eliminated, ensuring compliance by preventing users from bypassing security controls.

Zero Trust controls are strictly enforced, as access to the SaaS application is continuously evaluated against granular Access Policies and contextual Admission Rules (such as time of day, location, or device posture).

Least privilege principles are applied, ensuring users are only granted the specific access they need, which minimizes overall exposure.

Onboarding SaaS Applications

Maximize your efficiency by navigating to SaaS Access before entering prompts. You’ll gain instant visibility into the Detail Panes to verify Copilot’s actions and receive tailored Prompt Catalysts to help guide your next steps.

The Intent: What the AI Needs

  • Name (required): A descriptive label for the resource (max 40 characters). Example: Salesforce

    Note

    No special characters like . or @.

  • Address (required): The Fully Qualified Domain Name (FQDN) or Domain (e.g., salesforce.com) of the SaaS application.

  • Protocols (required): The protocols used to access the resource. Common options: SSH, HTTPS, HTTP, RDP, ICMP. Custom protocols (e.g., TCP 9000, UDP 5000–5100). For no restrictions, specify ALL PORTS

  • Description (optional): A short description of the resource (max 120 characters). Example: CRM application

Note

To make the resource fully functional, you'll also need:

A gateway assigned — routes traffic to the resource through Cipherscale. Mission: Assigning Resources to Gateways

An access policy — defines who can access the SaaS app and under what conditions. Mission: Crafting Access Policies

Interaction Flow

Step

Participant

Action/Content

1. The Prompt

Admin

"Add a new SaaS Application"

2. The Draft

AI Copilot

"I'd be happy to help you create a new SaaS application (resource)! I just need a few details:

  1. Name– What would you like to name the SaaS application?

  2. Host– What is the hostname or URL of the application? (e.g., app.salesforce.com)

  3. Description(optional)– Any description for this resource?"

3. The Prompt

Admin

“Name the SaaS app ‘Salesforce’ and use domain of salesforce.com”

4. The Draft

AI Copilot

"I'll create that SaaS resource for you right away!

Create SAAS resource 'Salesforce'

Creating a SAAS resource to enable controlled access to Salesforce for authorized users and groups.

{
Resource Name:"Salesforce",
Resource Type:"SAAS",
Domain:"salesforce.com",
Protocol:"HTTPS (TCP/443)",
Description:"Access to Salesforce.com"
}

Confirm or Cancel?"

5. Validation

Admin

"Confirm."

6. Result

AI Copilot

✅ Action confirmed, proceeding with execution of operation

The Salesforce SaaS application has been successfully created! Here's a summary:

  • Name: Salesforce

  • Type: SaaS

  • Domain: salesforce.com

  • Protocol: HTTPS (TCP/443)

  • Description: Access to Salesforce.com

7. Follow Up

AI Copilot

The resource is ready to use. Would you like to create a policy to control access to this application, or is there anything else you'd like to configure?

Example Prompts

Creation Prompt Examples

  • "Create a SaaS resource for Salesforce at salesforce.com with HTTPS protocol."

  • "Add Slack as a SaaS resource using slack.com with HTTPS and DNS protocols."

  • "Create a SaaS resource named Workday at workday.comwith HTTPS access and description 'HR platform'."

  • "Add Jira Cloud as a SaaS resource at yourcompany.atlassian.netwith HTTPS protocol."

  • "Create a SaaS resource for Microsoft 365 at microsoft365.com using all ports."

Read / List Prompt Examples

  • "List all my SaaS resources."

  • "Show me the details of the Salesforce SaaS resource."

  • "Which gateways are assigned to the Slack SaaS resource?"

Update Prompt Examples

  • "Update the Salesforce SaaS resource description to 'CRM platform for the sales team'."

  • "Rename the Workday SaaS resource to 'Workday HCM'."

  • "Assign the US-East gateway to the SlackSaaS resource."

Delete Prompt Examples

  • "Delete the Salesforce SaaS resource."

  • "Remove the Slack SaaS resource from the system."

System State & Verification

Navigate to SaaS Access using the Navigation Menu and use the Details Ribbon to verify the Copilot actions or view the current system state.

The SaaS Applications Data Grid: Click SaaS Applications on the Details Ribbon to view the data grid listing SaaS Applications with their Name and Status, Description, Address and Protocol, Gateway, and Access Policy. The copy icon appears when hovering over a SaaS Application's name, making it easy to copy and paste it into the Intent Bar for use with a prompt. Search allows quick filtering of the rows to show the matching SaaS names.

A Specific SaaS Application's Data Grid: To view details for a specific application, click that application's name. You will see details such as the Status, Addresses and Protocols. Data Grids for the associated Gateways and Access Policies are also displayed. The Load Balancing mode is also displayed in the Gateways section. To go back to the SaaS Applications Data Grid, click SaaS Applications from the breadcrumb.

SaaS Applications Status

The status is visually represented by the following colors:

  • Orange: No Gateway Selected.

  • Red: Offline.

  • Green: Online

Troubleshooting

Verify the SaaS Application Status:

 Check the visual status of the SaaS Application in the administration portal's SaaS Applications tab. Green means it is online, Red means it is offline, and Orange indicates that no gateway has been selected for it yet.

Ensure Gateway Routing and Reachability:

 SaaS access relies on a Gateway deployed with internet access. If a resource is unreachable, verify that the Gateway assigned to it is placed in a network that can actually route traffic to that specific application or service.

Audit Assigned Policies and Gateways:

 If a user cannot connect, you can easily verify the resource's configuration by navigating to SaaS Access > SaaS Applications and clicking on the resource's row. This will display the Gateways and Access Policies sections currently associated with it. Remember that access is denied by default unless an explicitly configured Access Policy grants it, and that policy will only grant access if its linked Admission Rules are successfully met.

Leverage AI Root Cause Analysis (RCA):

 You can use the AI-native conversational interface to diagnose access issues instantly. By asking a plain-English query like, "Why can't User A access Salesforce?", the AI will correlate access policies, admission rules, gateway reachability, and real-time logs to surface the exact point of failure

Comments

0 comments

Article is closed for comments.