Okta IdP with O365 using WS-Federation

OPSWAT MetaAccess can be easily integrated with an Okta O365 integration to ensure that a device is compliant with the organization's security policy before it is granted access to O365. This ensures that the device is not only authenticated by the IdP, but also tested for risks and vulnerabilities such as infections or unpatched versions of operating systems, BEFORE it access an organization's cloud services.

To get started with implementing OPSWAT MetaAccess integration to enforce device posture check before granting a device to access O365 with Okta Single Sign On (SSO) service, you set up SSO between Okta and O365 manually as below steps even you already have SSO set up for O365 on Okta. The built-in O365 application doesn't allow you to modify a LoginURL of O365 .

  1. Log into Okta console as an Administrator

  2. Switch to Admin view

    images/download/attachments/34554732/image2017-10-17_16-0-11.png

  3. Create new Template WS-Fed application

    images/download/attachments/34554732/create_template-ws.png

  4. Fill in below information and then click Done:
    - Realm: urn:federation:MicrosoftOnline
    - RelyTo Url: https://login.microsoftonline.com/login.srf
    - Audience Restriction: urn:federation:MicrosoftOnline
    - Custom Attribute Statements: ImmutableID|{findDirectoryUser().externalId}|urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,UPN|${user.login}|urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    And leave the rest as default

    images/download/attachments/34554732/create_template-ws_2.png

  5. On Assignments tab, click on Assign to assign person you want to allow to access this application
    images/download/attachments/34554732/assignment.png

  6. Install Windows PowerShell for Azure Active Directory here.

  7. Make sure to integrate your Active Directory to Okta before continue.

Now it's the time you can integrate MetaAccess with your Okta O365 by following below steps. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Login to the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. Check on the box "Enable access control" and configure a port for the cross-domain API. Note that you must select a port which no applications on endpoints is running.

    images/download/attachments/34554732/image2018-4-10_7-58-19.png


  4. Click SAVE.

Step 2. Import Identity Providers and Applications

  1. Download Okta IdP: the next step is importing an Okta X.509 certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP, Okta. Each identity provider has a unique X.509 certificate. Download the Okta X509 certificate by following these steps:

    1. Login to Okta as Administrator

    2. Switch to Admin mode

      images/download/attachments/34554732/image2017-10-17_16-0-11.png
    3. Go to Applications dashboard

      images/download/attachments/34554732/image2017-10-17_16-0-41.png
    4. Select O365 application

    5. Go to Sign On tab and click View Setup Instruction
      images/download/attachments/34554732/Untitled.png


    6. Click Download certificate to download Okta certificate

      images/download/attachments/34554732/download_certificate.png

  2. Collect Idp Login URL: this is an embed link which Okta generated for the app to embed outside Okta. You can find this URL on General tab, scroll down to the App Embed Link section

    images/download/attachments/34554732/embeded_link.png

  3. Add the Okta Identity Provider. If you already have Okta IdP settings on your MetaAccess account, go to 4 to add O365 application.

    1. Login to the MetaAccess console

    2. Navigate to Access Control and then Configurations

    3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

    4. Fill in required fields for the Identity Provider

      1. IdP Name: an IdP name, for example: Okta

      2. IdP Certificate: upload Okta certificate you downloaded in Step 2.1

        images/download/attachments/34554732/image2018-4-10_8-16-17.png

    5. Click Add IDP

    6. Click SAVE

  4. Add the O365 application:

    1. Expand the Okta IdP settings you have just added in Step 2.3 above.

    2. Click Add New Application

    3. Enter required field

      1. Application: application name, for example: O365

      2. IDP Login URL: application login URL which you have from Step 2.2

      3. Login URL: https://login.microsoftonline.com/login.srf

      4. Logout URL: https://login.microsoftonline.com/logout.srf

      5. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Import Identity Providers and Applications

        images/download/attachments/34554732/image2018-4-10_8-18-23.png
    4. Click SAVE

  5. After saving your changes sucessfully, click the Setup Instructions button of the O365 application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace O365 login URL on Okta.

    images/download/attachments/34554732/image2018-4-10_8-19-1.png

Note: you can add O365 application (step 2.4) when you add Okta IdP settings.

Step 3. Configure Access Rules

  1. On MetaAccess console, navigate to Access Control and then Configurations

  2. On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

  3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow

    3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

  4. Click ADD RULE

    images/download/attachments/34554732/image2018-4-10_8-14-31.png

Step 4. Update Applications settings on Identity Provider

  1. Login to Okta as administrator

  2. Go to Applications dashboard

  3. Select O365 application

  4. On General tab, click Edit

  5. Replace ReplyTo URL with the MetaAccess URL which you got from Step 2.5

    images/download/attachments/34554732/create_console_application_3.png

  6. Click Save

Step 5. Configure SSO settings on Office 365

  1. Get Issuer and Passive Endpoint from Okta

    1. Login to Okta as administrator

    2. Go to Applications dashboard

    3. Select O365 application

    4. On Sign On tab, click View Setup Instructions

    5. Get Issuer and Passive Endpoint
      images/download/attachments/34554732/config_ws-federation_2.png

  2. Click Download OPSWAT certificate to download a self-signed certificate MetaAccess generated for your account

    images/download/attachments/34554732/image2018-4-10_7-59-3.png

  3. Converting your domain in Office 365 to federated

    1. Login to a computer installed Windows PowerShell for Azure Active Directory

    2. Start PowerShell and run Connect-MsolService cmdlet and enter your administrator credentials for your Office 365 domain when prompted

      C:\Windows\system32>Connect-MsolService
    3. Run Set-MsolDomainAuthentication cmdlet

      C:\Windows\system32>Set-MsolDomainAuthentication `
      -FederationBrandName MetaAccess `
      -DomainName <Your Domain>`
      -Authentication Federated `
      -IssuerUri <Issuer in step 5.1> `
      -PassiveLogOnUri <Passive Endpoint in step 5.1>`
      -LogOffUri https://login.microsoftonline.com/logout.srf `
      -SigningCertificate <OPSWAT Certificate in step 5.2>

      Note: enter the certificate on a single line without break line

    4. Run following cmdlet to verify configuration

      C:\Windows\system32>Get-MsolDomainFederationSettings -DomainName <Your Domain>

      Note: it can take some time for Office 365 to apply new configuration

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.

DONE! CONGRATULATIONS.