Microsoft Azure with Salesforce

OPSWAT MetaAccess can be easily integrated with an existing Microsoft Azure & Salesforce integration to ensure that a device is compliant with the organization's security policy before it is granted access to Salesforce. This ensures that the user is not only authenticated by Microsoft Azure, but also a device the user uses to access SaaS applications tested for risks and vulnerabilities such as infections or outdated operating systems, BEFORE it access an organization's cloud services.

To get started with implementing OPSWAT MetaAccess integration to enforce device posture check before granting a device to access Salesforce with Microsoft Azure Single Sign On (SSO) service. Y ou set up SSO between Microsoft Azure and Salesforce as guidelines in Azure Active Directory integration with Salesforce

After configuring SSO, you should test it out to make sure that SSO works as expected.

Now it's the time you can integrate MetaAccess with your Microsoft Azure & Salesforce by following the below steps. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Log into the MetaAccess console

  2. Navigate to Access Control > Configurations

  3. Check "Enable access control".

  4. Click SAVE.

    images/download/attachments/5735785/image2018-3-9_13-42-27.png

Step 2. Import Identity Providers and Applications

  1. Download Azure Certificate: the next step is importing an Azure X.509 certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted Azure. Each identity provider has a unique X.509 certificate. Download the Azure X509 certificate by following these steps:

    1. Log into Azure Portal as Administrator

    2. Click Azure Active Directory on the left navigation

      images/docs.microsoft.com/en-us/azure/active-directory/media/active-directory-saas-dropboxforbusiness-tutorial/tutorial_general_01.png
      The Azure Active Directory button

    3. Navigate to Enterprise applications > All applications.

      images/docs.microsoft.com/en-us/azure/active-directory/media/active-directory-saas-dropboxforbusiness-tutorial/tutorial_general_02.png
      The Enterprise applications blade

    4. Select the Salesforce application

    5. Select tab Single sign-on. Scroll down to SAML Signing Certificate area and and click on "Certificate (Base64)" to download certificate

      images/download/attachments/5735785/image2020-3-2_14-31-3.png
  2. Collect Idp Login URL and User access URL

    1. Scroll down copy Login URL. Store the URL in somewhere for later use. For example https://login.microsoftonline.com/60244d0a-5473-4468-b743-f9cc479b7dab/saml2

      images/download/attachments/5735785/image2020-3-2_14-40-59.png
    2. Select Properties and copy User access URL. Store the URL in somewhere for later use. For example https://myapps.microsoft.com/signin/Salesforce/549c009f-5f75-4beb-9e53-a754dd43a3f4?tenantId=<your_tenant_id>

      images/download/attachments/5735785/image2020-3-2_14-55-10.png
  3. Collect Salesforce Logout URL: you can find this URL inside of Salesforce

    1. Log into your Salesforce account

    2. Click on your avatar, right click on Log Out and choose Copy link address to get log out URL

      images/download/attachments/5735785/image2020-3-2_14-45-27.png

    3. Store the log out URL in somewhere for later use

  4. Add the Azure Identity Provider. If you already have Azure IdP settings on your MetaAccess account, go to step 2.5 to add Salesforce application.

    1. Log into the MetaAccess console

    2. Navigate to Access Control > Configurations

    3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

    4. Fill in required fields for the Identity Provider

      1. IdP Name: an IdP name, for example: Azure

      2. IdP Certificate: upload Azure certificate you downloaded in Step 2.1

        images/download/attachments/5735785/image2018-4-26_9-47-8.png

    5. Click Add IDP

    6. Click SAVE

  5. Add Salesforce application:

    1. Expand the Azure IdP settings you have just added in Step 2.4 above.

    2. Click Add New Application

    3. Enter required field

      1. Application: application name, for example: Salesforce

      2. IdP Login URL: Embedded "User access URL" which you have from Step 2.2

      3. Login URL: Embedded "Login URL" which you have from Step 2.2

      4. Logout URL: application logout URL which you have from Step 2.3

      5. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Import Identity Providers and Applications

        images/download/attachments/5735785/image2020-3-2_14-58-8.png
    4. Click SAVE

  6. After saving your changes successfully, click the Setup Instructions button of the Salesforce application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace Salesforce Reply URL (Assertion Consumer Service URL) on Azure in Step 4.

    images/download/attachments/5735785/image2020-3-2_14-59-48.png

Note: you can add Salesforce application (step 2.5) when you add Azure IdP settings in step 2.4.

Step 3. Configure Access Rules

Note: This step can be skipped if you have done this step in the past or you can use the default rules

  1. In MetaAccess console

  2. Navigate to Access Control > Configurations

  3. On the Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

  4. With a new access rule, you need to specify how you would like to block/allow access a device from the application

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow

    3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

  5. Click ADD RULE

    images/download/attachments/5735785/image2018-3-9_13-54-13.png

Step 4. Update Applications settings on Identity Provider

  1. Log into Azure Portal as administrator

  2. Click Azure Active Directory.

  3. Navigate to Enterprise applications > All applications.

  4. Select the Salesforce application

  5. Select Single sign-on.

  6. Click the edit icon (pencil icon) on Basic SAML Configuration section

  7. Replace Reply URL with the MetaAccess URL which you got from Step 2.6

    images/download/attachments/5735785/image2020-3-2_15-4-18.png

  8. Click Save

Step 5. Configure SSO settings on applications

  1. In MetaAccess console

  2. Navigate to Access Control > Configurations

  3. Download OPSWAT certificate

    images/download/attachments/5735785/image2018-3-5_16-12-40.png

  4. Login to Salesforce as an administrator

  5. Select Setup

  6. Navigate to Security Controls > Single sign-on Settings and click Edit on application

    images/download/attachments/5735785/image2020-3-2_15-8-35.png

  7. Click on Choose File to upload the OPSWAT certificate that MetaAccess generated for your account (you downloaded in step 5.1)

    images/download/attachments/5735785/image2020-3-2_15-12-2.png

  8. Change Identity Provider Login URL to MetaAccess URL which you got from Step 2.6

  9. Select Service Provider Initiated Request Binding to Redirect

  10. Click Save

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.