Okta IdP with Access Gateway

OPSWAT MetaAccess can be easily integrated with an existing Okta - Access Gateway integration to ensure that a device is compliant with the organization's security policy before it is granted access to applications. This ensures that the device is not only authenticated by the IdP, but also tested for risks and vulnerabilities such as infections or unpatched versions of operating systems BEFORE it accesses an organization's cloud services.

To get started with implementing OPSWAT MetaAccess integration to enforce device posture check before granting a device to access applications with Access Gateway with Okta Inbound SAML, you need to have Access Gateway configured with Okta Inbound SAML. If you haven't already done so, please follow the instructions on Okta Help Center to set it up.

You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Login to the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. Check on "Enable access control" and configure a port for the cross-domain API. Note that you must select a port which no applications on endpoints is running.

  4. Click SAVE.

    images/download/attachments/342535/image2018-3-9_13-43-24.png

Step 2. Import Identity Providers and Applications

  1. Download Okta IdP certificate: the next step is importing an Okta X.509 certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP, Okta. Each identity provider has a unique X.509 certificate. Download the Okta X509 certificate by following these steps:

    1. Login to Okta as Administrator

    2. Switch to Admin mode

      images/download/attachments/342535/image2017-10-17_16-0-11.png
    3. Go to Applications dashboard

      images/download/attachments/342535/image2017-10-17_16-0-41.png
    4. Select Access Gateway application

    5. Go to Sign On tab and click View Setup Instruction
      images/download/thumbnails/342535/image2019-11-15_12-6-21.png


    6. Click Download certificate to download Okta certificate

      images/download/thumbnails/342535/image2019-11-15_12-9-20.png

  2. Collect Access Gateway ACS URL

    1. In Okta Administrator console, select Security > Identifier Providers

images/download/attachments/342535/image2019-11-15_12-11-6.png

b. Expand the Okta Inbound SAML you configured for the Access Gateway. Then copy the Assertion Consumer Service URL
images/download/attachments/342535/image2019-11-15_12-15-39.png

3. Collect IdP SSO login URL:

  • In Okta Administrator console, navigate to Applications > then select Access Gateway app

  • on General tab, scroll down to App Embed Link section

  • Copy the Embed Link there

images/download/attachments/342535/image2019-11-15_12-19-3.png

4. Add the Okta Identity Provider. If you already have Okta IdP settings on your MetaAccess account, go to 5 to add Access Gateway application.

  • Login to the MetaAccess console

  • Navigate to Access Control and then Configurations

  • On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

  • Fill in required fields for the Identity Provider

    • IdP Name: an IdP name, for example, Okta

    • IdP Certificate: upload Okta certificate you downloaded in Step 2.1

      images/download/attachments/342535/image2019-11-15_12-27-11.png

  • Click Add IDP

  • Click SAVE CHANGES

5. Add the Access Gateway application:

  • Expand the Okta IdP settings you have just added in Step 2.4 above.

  • Click Add New Application

  • Fill required fields

    • Application: application name, for example, Access Gateway

    • IdP Login URL: IdP SSO login URL which you have from step 2.3

    • Application Login URL: application login URL which you have from Step 2.2

    • Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Import Identity Providers and Applications

      images/download/attachments/342535/image2019-11-15_14-45-52.png
  • Click SAVE CHANGES

6. After saving your changes successfully, click the Setup Instructions button of the Access Gateway application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace Single sign on URL of the Access Gateway app on Okta in Step 4.

images/download/attachments/342535/image2019-11-15_14-57-2.png

Note: you can add Access Gateway application (step 2.5) when you add Okta IdP settings.

Step 3. Configure Access Rules

  1. On MetaAccess console, navigate to Access Control and then Configurations

  2. On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

  3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow

    3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

  4. Click ADD RULE

    images/download/attachments/342535/image2018-3-9_13-55-33.png

Step 4. Update Applications settings on Identity Provider

  1. Login to Okta as administrator

  2. Navigate to Applications dashboard

  3. Select Access Gateway application

  4. On General tab, click Edit on the SAML Settings section

images/download/attachments/342535/image2019-11-15_14-59-37.png

5. Click Next on the first screen, then replace Single sign on URL with the MetaAccess URL which you got from Step 2.6

6. Click Show Advanced Settings
images/download/attachments/342535/image2019-11-15_15-30-31.png

7. Change Signature Algorithm to RSA-SHA1 and Digest Algorithm to SHA1

8. Click Next

9. Click Finish

Step 5. Configure SSO settings on applications

  1. On MetaAccess console, navigate to Access Control >Configurations

  2. Click Download OPSWAT certificate to download a self-signed certificate MetaAccess generated for your account

    images/download/attachments/342535/image2018-3-5_16-13-57.png

  3. Log into Okta Administrator console

  4. Navigate to Security > Identity Providers

    images/download/attachments/342535/image2019-11-15_12-11-6.png

  5. Click Configure then select Configure Identity Providers on the Okta Inbound SAML you configured for the Access Gateway.

    images/download/attachments/342535/image2019-11-15_15-37-19.png

  6. On the SAML PROTOCOL SETTINGS, replace IdP Signature Certificate to the certificate MetaAccess generated for your account as you downloaded at step 5.2

    • Click on x icon to remove the current one

    • upload the new one

  7. Click Show Advanced Settings

images/download/attachments/342535/image2019-11-15_15-44-19.png

8. Change Request Signature Algorithm to SHA-1 and Response Signature Algorithm to SHA-1

images/download/attachments/342535/image2019-11-15_15-42-53.png

9. Click Update Identity Provider

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.