G-Suite with AWS SSO

OPSWAT MetaAccess can be easily integrated with an existing G-Suite & AWS SSO integration to ensure that a device is compliant with the organization's security policy before it is granted access to AWS Console. This ensures that the user is not only authenticated by G-Suite, but also a device the user uses to access SaaS applications tested for risks and vulnerabilities such as infections or outdated operating systems, BEFORE it access an organization's cloud services.

To get started with implementing OPSWAT MetaAccess integration to enforce device posture check before granting a device to access AWS with G-Suite service.

After configuring SSO, you should test it out to make sure that SSO works as expected.

Now it's the time you can integrate MetaAccess with your G-Suite & AWS SSO by following the below steps. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Log into the MetaAccess console

  2. Navigate to Secure Access > Protected Apps

  3. Check "Enable Secure Access".

  4. Click SAVE.

    images/download/attachments/5277100/image2020-11-23_21-6-55.png

Step 2. Add protected applications with IdP Method on MetaAccess

  1. Log into G-Suite admin console

  2. Go to Apps > Web and mobile apps then click on your application. For example: AWS
    images/download/attachments/5277100/image2020-11-23_21-13-30.png

  3. Download G-Suite certificate: the next step is importing an G-Suite certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted G-Suite. Download the certificate by following these steps:

    1. Click on Download Metadata on the left and click the download button to download the certificate

      images/download/attachments/5277100/image2020-11-23_21-21-34.png
  4. Collect Idp Login URL

    1. In the Download Metadata popup, scroll down and copy SSO URL

      images/download/attachments/5277100/image2020-11-23_21-24-59.png
  5. Collect AWS SSO Sign-in URL

    1. Login to your AWS console then go to AWS SSO > Settings then click on the Change link in the section Identity source
      images/download/attachments/5277100/image2020-11-23_21-28-55.png

    2. Click on the Show individual metadata values then copy AWS SSO Sign-in URL
      images/download/attachments/5277100/image2020-11-23_21-30-30.png

  6. Add AWS application on MetaAccess:

    1. Log into the MetaAccess console.

    2. Navigate to Secure Access > Protected Apps

    3. Click Add Protectedd Application then choose IDP METHOD option

    4. Choose option Add new IDP, enter name and upload the certificate got in step 2.3. Then Continue
      images/download/attachments/5277100/image2020-11-23_22-5-31.png

    5. Enter required field

      1. Application: application name, for example: aws

      2. IDP: choose the IDP created in the previous step

      3. IdP Login URL: fill with the link which you have from Step 2.5

      4. App ACS URL: fill with the link which you have from Step 2.4

      5. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Add protected applications with IdP Method

        images/download/attachments/5277100/image2020-11-23_21-43-12.png
    6. Enter your pin then click SAVE

  7. After saving your changes successfully, it shows a popup, copy the URL MetaAccess generated there and download Opswat Certificate.

    images/download/attachments/5277100/image2020-11-23_21-46-39.png
  8. Configure Access Rules. This step can be skipped if you have done this step in the past or you can use the default rules

    1. Navigate to Secure Access > Rules

    2. click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

    3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

      1. Rule name: a rule name, for example Block non-compliant devices

      2. Action: Block or Allow

      3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

    4. Click ADD RULE
      images/download/attachments/5277100/image2020-11-23_21-51-2.png

Step 3. Update Applications settings on G-Suite

  1. Log into G-Suite admin console

  2. Navigate to your application

  3. Click to section Service provider details then replace the ACS URL with the link got in step 2.7

    images/download/attachments/5277100/image2020-11-23_21-54-50.png
  4. Click Save

Step 4. Configure SSO settings on AWS SSO

  1. Login to your AWS console then go to AWS SSO > Settings then click on the Change link in the section Identity source

  2. Go to the section Identity provider metatdata

  3. Fill IdP sign-in URL with the URL link got in step 2.7

  4. Upload Opswat certificate got in step 2.7 to IdP certificate

  5. Click Next Review
    images/download/attachments/5277100/image2020-11-23_22-3-0.png

Step 5: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.