Microsoft Azure with OPSWAT SDP

OPSWAT MetaAccess can be easily integrated with an existing Microsoft Azure & legacy OPSWAT SDP integration to ensure that a device is compliant with the organization's security policy before it is granted access to OPSWAT SDP. This ensures that the user is not only authenticated by Microsoft Azure, but also a device the user uses to access SaaS applications tested for risks and vulnerabilities such as infections or outdated operating systems, BEFORE it access an organization's cloud services.

Follow below steps to integrate MetaAccess with your Microsoft Azure & Legacy OPSWAT SDP. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Log into the MetaAccess console

  2. Navigate to Access Control > Configurations

  3. Check "Enable access control".

  4. Click SAVE.

    images/download/attachments/4343441/image2018-3-9_13-42-27.png

Step 2. Create SDP app on Microsoft Azure

  1. Log into Azure Portal as Administrator

  2. Click Azure Active Directory on the left navigation

    images/docs.microsoft.com/en-us/azure/active-directory/media/active-directory-saas-dropboxforbusiness-tutorial/tutorial_general_01.png
    The Azure Active Directory button

  3. Navigate to Enterprise applications > All applications.

    images/docs.microsoft.com/en-us/azure/active-directory/media/active-directory-saas-dropboxforbusiness-tutorial/tutorial_general_02.png
    The Enterprise applications blade

  4. Create a Non-gallery application

    images/download/attachments/4343441/image2020-9-9_10-38-19.png
  5. Enter some placeholder value for fields in Basic SAML Configuration, then click save. You will need to to update these fields in later steps.

    images/download/attachments/4343441/image2020-9-9_11-25-2.png
  6. Add group claim for SAML Response

    1. Click Edit on section User Attributes & Claims
      images/download/attachments/4343441/image2020-9-9_11-26-41.png

    2. Click on "Add a group claim", choose "All groups" options(or you can choose what group you want to include in the SAML response) then click Save
      images/download/attachments/4343441/image2020-9-9_11-29-16.png

  7. Download Azure Certificate: this allows MetaAccess to verify users signing though a trusted Azure. Each identity provider has a unique X.509 certificate
    Select Single sign-on on the left navigation, scroll down to SAML Signing Certificate section and and click "Certificate (Base64)" to download the Azure certificate. You need to upload this cert to MetaAccess console later.

    images/download/attachments/4343441/image2020-9-9_10-47-55.png
  8. Download Azure metadata for the SDP app. This data will be used to upload to OPSWAT SDP to enable single sign on for your users. Select Single sign-on on the left navigation, scroll down to SAML Signing Certificate section and and click on " Federation Metadata XML " to download IDP metadata file

    images/download/attachments/4343441/image2020-9-9_11-31-15.png
  9. Collect Idp Login URL. Scroll down copy Login URL. Store the URL in somewhere for later use. For example https://login.microsoftonline.com/60244d0a-5473-4468-b743-f9cc479b7dab/saml2

    images/download/attachments/4343441/image2020-9-9_10-49-36.png
  10. Collect User access URL. Select Properties and copy User access URL
    images/download/attachments/4343441/image2020-9-16_10-20-47.png

  11. Assign your users/groups to this application

Step 3. Configure Application and Access Rules on MetaAccess

  1. Add the Azure Identity Provider. If you already have Azure IdP settings on your MetaAccess account, go to step 3.2 to add SDP application.

    1. Log into the MetaAccess console

    2. Navigate to Access Control > Configurations

    3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

    4. Fill in required fields for the Identity Provider

      1. IdP Name: an IdP name, for example: Azure

      2. IdP Certificate: upload Azure certificate you downloaded in Step 2.7

        images/download/attachments/4343441/image2020-9-9_10-54-58.png

    5. Click Add IDP

    6. Click SAVE and confirm the change with your PIN

  2. Add SDP application:

    1. Expand the Azure IdP settings you have just added in Step 3.1 above.

    2. Click Add New Application

    3. Enter required field

      1. Application: application name, for example: SDPClient

      2. IdP Login URL: Embedded " User access URL " which you have from Step 2.10

      3. Application ACS URL: Embedded "Login URL" which you have from Step 2.9

      4. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Add protected applications with IdP Method

        images/download/attachments/4343441/image2020-9-16_10-22-13.png
    4. Click SAVE and confirm the change with your PIN

  3. After saving your changes successfully, click the Setup Instructions button of the SDPClient application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace Reply URL (Assertion Consumer Service URL) on Azure.

    images/download/attachments/4343441/image2020-9-9_10-58-39.png

  4. Configure Access Rules (this step can be skipped if you have done this step in the past or you can use the default rules):

    1. On the Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

    2. With a new access rule, you need to specify how you would like to block/allow access a device from the application

      1. Rule name: a rule name, for example Block non-compliant devices

      2. Action: Block or Allow

      3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

    3. Click ADD RULE

      images/download/attachments/4343441/image2018-3-9_13-54-13.png

Step 4. Configure SSO settings on SDP

  1. Download MetaAccess's certificate:

    1. In MetaAccess console

    2. Navigate to Access Control > Configurations

    3. Download OPSWAT certificate

      images/download/attachments/4343441/image2018-3-5_16-12-40.png

  2. Prepare IdP Metadata File to upload to OPSWAT SDP.

    1. Open the Azure metadata for the SDP app file, you download in step 2.8

    2. Replace all sections X509Certificate in the file with the MetaAccess certificate downloaded in step 4.1

    3. Replace all sections SingleSignOnService.Location in the file with the URL get in step 3.3

    4. Save all changes

  3. Login to SDP console (https://<your account name>.sdp.cloud.impulse.com/login)

  4. Go to Users and click Add button in the section SAML to add new IdP

    images/download/attachments/4343441/image2020-9-9_11-49-53.png
  5. Choose Custom IDP then Click Next.
    images/download/attachments/4343441/image2020-9-9_11-50-47.png

  6. On this the Provide SP details to SAML Identity Provide screen, copy value of " Audience / SP Identity" for later use t hen click Next

    images/download/attachments/4343441/image2020-9-9_11-56-27.png
  7. Upload the modified Azure metadata for SDP app file, you prepared in the step 4.2 then click Next

    images/download/attachments/4343441/image2020-9-9_11-52-49.png

  8. Enter "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" for Group Attribute then click Next

  9. Click Create

Step 5. Update Applications settings on Identity Provider

  1. Log into Azure Portal as administrator

  2. Click Azure Active Directory.

  3. Navigate to Enterprise applications > All applications.

  4. Select the SDP application

  5. Select Single sign-on.

  6. Click the edit icon (pencil icon) on Basic SAML Configuration section

  7. Replace Identifier with value got from step 4.6. Replace Reply URL with the MetaAccess URL which you got from Step 3.3

    images/download/attachments/4343441/image2020-9-9_11-59-41.png

  8. Click Save

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.