ADFS Proxy with O365 using WS-Federation

OPSWAT MetaAccess can be easily integrated with ADFS Proxy to ensure that a device is compliant with the organization's security policy before it is granted access to O365. This ensures that the device is not only authenticated by the IdP, but also tested for risks and vulnerabilities such as infections or unpatched versions of operating systems, BEFORE it access an organization's cloud services.

To get started with implementing OPSWAT MetaAccess integration to enforce device posture check before granting a device to access O365 with ADFS Proxy, you set up SSO between AD FS and O365 manually. You need the following requirements

  1. A domain.

  2. An Active Directory instance.

  3. Add your domain to Office 365.

  4. Install Windows PowerShell for Azure Active Directory here.

  5. Install ADFS server.

  6. Using Azure AD Connect to enable Single Sign-On to Office 365.

Configuring, installing ADFS server and enabling SSO to Office 365 is beyond the scope of this tutorial. This tutorial uses screenshots from Server 2012R2, but similar steps should be possible on other versions.

Now it's the time you can integrate MetaAccess with your ADFS by following below steps. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Login to the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. Check on the box "Enable access control" and configure a port for the cross-domain API. Note that you must select a port which no applications on endpoints is running.

    images/download/attachments/29935083/image2018-4-10_7-57-12.png


  4. Click SAVE.

Step 2. Import Identity Providers and Applications

  1. The next step is importing an ADFS Signing certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP. Each identity provider has a unique X.509 certificate. Download the ADFS Signing certificate by following these steps:

    1. Login to Windows Server

    2. Open Server Manager

    3. Click Tools

    4. Click AD FS Management

    5. Expand Service

    6. Click Certificates

    7. Double-click on the "Token-signing" being used to sign your responses

      images/download/attachments/29935083/image2018-4-5_16-47-12.png
    8. Click Copy to File to download the certificate. That should open another box, showing the certificate export wizard. Click Next and you will be asked which format to export the certificate in. Choose Base-64 encoded X.509

      images/download/attachments/29935083/image2018-4-5_16-50-57.png

  2. Collect Idp Login URL
    In this case, Idp Login URL is https://login.microsoftonline.com/login.srf

  3. Add the ADFS Identity Provider. If you already have ADFS IdP settings on your MetaAccess account, go to 4 to add O365 application.

    1. Login to the MetaAccess console

    2. Navigate to Access Control and then Configurations

    3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

    4. Fill in required fields for the Identity Provider

      1. IdP Name: an IdP name, for example: ADFS

      2. IdP Certificate: upload ADFS certificate you downloaded in Step 2.1

        images/download/attachments/29935083/image2018-4-10_8-5-17.png
    5. Click Add IDP

    6. Click SAVE

  4. Add the O365 application:

    1. Expand the ADFS IdP settings you have just added in Step 2.3 above.

    2. Click Add New Application

    3. Enter required field

      1. Application: application name, for example: O365

      2. IDP Login URL: application login URL which you have from Step 2.2

      3. Login URL: https://login.microsoftonline.com/login.srf

      4. Logout URL: https://login.microsoftonline.com/logout.srf

      5. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Import Identity Providers and Applications

        images/download/attachments/29935083/image2018-5-17_15-38-4.png
    4. Click SAVE

  5. After saving your changes sucessfully, click the Setup Instructions button of the O365 application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace O365 login URL on ADFS.

    images/download/attachments/29935083/image2018-4-9_11-18-43.png

Note: you can add O365 application (step 2.4) when you add ADFS IdP settings.

Step 3. Configure Access Rules

  1. On MetaAccess console, navigate to Access Control and then Settings

  2. On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

  3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow

    3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

  4. Click ADD RULE

    images/download/attachments/29935083/image2018-4-10_8-7-43.png

Step 4. Update Passive Endpoints For Office 365 in AD FS Server

  1. Login to Windows Server

  2. Open Server Manager

  3. Click Tools

  4. Click AD FS Management

  5. Expand Trust Relationships

  6. Click Relying Party Trusts

  7. Double-click on "Microsoft Office 365 Identity Platform" and choose Endpoints tab
    images/download/attachments/29935083/Untitled.png

  8. Double-click on the default Endpoint and replace Trusted URL with the URL in step 2.5

    images/download/attachments/29935083/image2018-4-9_12-32-27.png

Step 5. Edit SSO settings on Office 365

After install and configure AD FS server, it will enable SSO for your domain, but you need to replace SigningCertificate in SSO setting to work with MetaAccess

  1. Login to Azure Active Directory via Windows PowerShell

    1. Login to a computer installed Windows PowerShell for Azure Active Directory

    2. Start PowerShell and run Connect-MsolService cmdlet and enter your administrator credentials for your Office 365 domain when prompted

      C:\Windows\system32>Connect-MsolService
  2. Backup current SSO settings

    1. Run Get-MsolDomainFederationSettings -DomainName <your domain> cmdlet to get current SSO setting

    2. Get these information

      1. FederationBrandName

      2. IssuerUri

      3. LogOffUri

      4. PassiveLogOnUri

        images/download/attachments/29935083/Capture.PNG
  3. Click Download OPSWAT certificate to download a self-signed certificate MetaAccess generated for your account

    images/download/attachments/29935083/image2018-4-10_7-59-45.png

  4. Update existing current setting

    1. Run following cmdlet

      C:\Windows\system32>Set-MsolDomainAuthentication -DomainName <your domain> -Authentication Managed
    2. Run Set-MsolDomainAuthentication cmdlet

      C:\Windows\system32>Set-MsolDomainAuthentication `
      -FederationBrandName <FederationBrandName in step 5.2> `
      -DomainName <Your Domain> `
      -Authentication Federated `
      -IssuerUri <Issuer in step 5.2> `
      -PassiveLogOnUri <Passive Endpoint in step 5.2> `
      -LogOffUri <LogOffUri in step 5.2> `
      -SigningCertificate <OPSWAT Certificate in step 5.3>

      Note: enter the certificate on a single line without break line

    3. Run following cmdlet to verify configuration

      C:\Windows\system32>Get-MsolDomainFederationSettings -DomainName <Your Domain>

      Note: It can take some time for Office 365 to apply new configuration

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.