Azure with AWS SSO

OPSWAT MetaAccess can be easily integrated with an Azure & AWS SSO integration to ensure that a device is compliant with the organization's security policy before it is granted access to AWS Console. This ensures that the user is not only authenticated by Azure, but also a device the user uses to access SaaS applications tested for risks and vulnerabilities such as infections or outdated operating systems, BEFORE it access an organization's cloud services.

Follow below steps to integrate MetaAccess with your Microsoft Azure & AWS SSO. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Log into the MetaAccess console

  2. Navigate to Secure Access > Protected Apps

  3. Check "Enable Secure Access".

  4. Click SAVE.

    images/download/attachments/7617000/image2020-11-23_21-6-55.png

Step 2. Create AWS application on Microsoft Azure

  1. Log into Azure Portal as Administrator

  2. Click Azure Active Directory on the left navigation

    images/docs.microsoft.com/en-us/azure/active-directory/media/active-directory-saas-dropboxforbusiness-tutorial/tutorial_general_01.png
    The Azure Active Directory button

  3. Navigate to Enterprise applications > All applications.

    images/docs.microsoft.com/en-us/azure/active-directory/media/active-directory-saas-dropboxforbusiness-tutorial/tutorial_general_02.png
    The Enterprise applications blade

  4. Create a Non-gallery application

    images/download/attachments/7616650/image2020-9-9_10-38-19.png
  5. Enter some placeholder value for fields in Basic SAML Configuration, then click save. You will need to to update these fields in later steps.

    images/download/attachments/7616650/image2020-11-24_16-37-53.png
  6. Download Azure Certificate: this allows MetaAccess to verify users signing through a trusted Azure.
    Select Single sign-on on the left navigation, scroll down to SAML Signing Certificate section and and click "Certificate (Base64)" to download the Azure certificate.

    images/download/attachments/7616650/image2020-11-24_16-39-30.png
  7. Collect Idp Login URL. Scroll down copy Login URL. Store the URL in somewhere for later use. For example https://login.microsoftonline.com/60244d0a-5473-4468-b743-f9cc479b7dab/saml2

    images/download/attachments/7616650/image2020-11-24_16-40-46.png
  8. Collect IdP issuer: Scroll down copy Azure AD Identifier

    images/download/attachments/7616650/image2020-11-24_16-48-34.png
  9. Collect User access URL. Select Properties and copy User access URL
    images/download/attachments/7616650/image2020-11-24_16-41-9.png

  10. Assign your users/groups to this application

Step 3. Add application and configure Access Rules on MetaAccess

  1. Log into the MetaAccess console.

  2. Navigate to Secure Access > Protected Apps

  3. Click Add Protectedd Application then choose IDP METHOD option

  4. Choose option Add new IDP, enter name and upload the certificate got in step 2.3. Then Continue
    images/download/attachments/7616650/image2020-11-24_21-10-42.png

  5. Enter required field

    1. Application: application name, for example: aws

    2. IDP: choose the IDP created in the previous step

    3. IdP Login URL: fill with the link which you have from Step 2.9

    4. App ACS URL: fill with the link which you have from Step 2.7

    5. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Add protected applications with IdP Method

      images/download/attachments/7616650/image2020-11-24_21-12-9.png
  6. Enter your pin then click SAVE

  7. After saving your changes successfully, it shows a popup, copy the URL MetaAccess generated there and download Opswat Certificate.

    images/download/attachments/7617000/image2020-11-23_21-46-39.png
  8. Configure Access Rules. This step can be skipped if you have done this step in the past or you can use the default rules

    1. Navigate to Secure Access > Rules

    2. click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

    3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

      1. Rule name: a rule name, for example Block non-compliant devices

      2. Action: Block or Allow

      3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

    4. Click ADD RULE
      images/download/attachments/7617000/image2020-11-23_21-51-2.png

Step 4. Configure SSO setting on AWS SSO

  1. Login to your AWS console then go to AWS SSO > Settings then click on the Change link in the section Identity source

  2. Go to the section Identity provider metatdata

  3. Fill IdP sign-in URL with the URL link got in step 3.7

  4. Fill IdP issuer URL with value got in step 2.8

  5. Upload Opswat certificate got in step 3.7 to IdP certificate

  6. Click Next Review
    images/download/attachments/7616650/image2020-11-24_21-15-46.png

  7. Expand the metadata values in section Service provider metadata then copy AWS SSO Sign-in URL and AWS SSO issuer URL

    images/download/attachments/7616650/image2020-11-24_21-21-0.png

Step 5. Update Applications settings on Azure

  1. Log into Azure Portal as Administrator then go to your application

  2. Navigate to your application

  3. Select Single sign-on

  4. Click the edit icon (pencil icon) on Basic SAML Configuration section

  5. Replace Identifier with AWS SSO issuer URL got from step 4.7
    Replace Reply URL with the MetaAccess URL which you got from Step 3.7
    Replace Sign on URL with AWS SSO Sign-in URL gotfrom step 4.7

    images/download/attachments/7616650/image2020-11-24_21-18-13.png
  6. Click Save

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.