Step 2. Add protected applications with IdP Method

This steps provides MetaAccess what Identity Provider (IdP) you want to integrate with and what applications you want to enforce device posture check before granting the device to access the applications. Once you integrate with MetaAccess, your IdP will forward user authentication result to MetaAccess after a user logs in successfully for checking device posture. Every request MEM receives, it will verify if the request comes from a trusted IdP before enforcing device posture check to grant an access to a specified application. Once again, MetaAccess only processes requests if Access Control is enable.

We support most Identity Providers who support SAML SSO, for example: Okta, Ping Identity, Centrify, OneLogin,... and applications which supports SAML SSO.

In this step, you need to collect the following information from your IdP and Single Sign-on settings of the applications:

  1. IdP certificate which you can get from IdP metadata

  2. Application information: log in URL, log out URL

1. Download IdP certificate

The next step is importing an IdP X.509 certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP. Each identity provider has a unique X.509 certificate for your account. You can find this certificate from metadata of the IdP on single sign-on setup instructions.

images/download/attachments/5105013/image2017-9-11_14-2-6.png

2. Collect Login URL of the application

Each application has a unique Assertion Consumer Service (ACS) URL (OR post back single sign on URL) to authenticate users signing through a third-party identity provider. MetaAccess uses this URL to forward the authentication message from IdP to the application after checking device posture passed.

You are able to find the Login URL of the application from a guideline to configure single sign-on settings for the application.

Or you can figure it out from the application settings on the IdP console.

images/download/attachments/5105013/image2017-8-30_13-36-56.png


3. Collect IdP SSO log in URL

IdP generates a unique SSO log in URL for each application when you set up SSO for an application. MetaAccess uses this URL to let a user log into the application when a device is granted temporary access.

images/download/attachments/5105013/image2018-5-23_16-12-8.png

4. Collect Logout URL of the application

Each application has a unique Logout URL to terminate a user session only for that application. MetaAccess uses this URL to kick users out if a device is blocked from access the application

You are able to find the Logout URL of the application when you log in to the application. Some application put the logout URL on the Logout button or link and you just simply copy the link.

images/download/attachments/5105013/image2017-8-30_13-53-19.png

4. Add protected applications

1. Login to the MetaAccess console

2. Navigate to Secure Access and then Protected Apps

3. Click Add Protected Apps

4. Select IdP Method to add protected apps with SAML IdP Method. For SDP Method, you can refer 3.2. Software Defined Perimeter (SDP) Method.

images/download/attachments/5105013/SDP.PNG

5. While enabling this feature, endpoints on your account will be enforced into running the cross-domain API on local at the configured port. You MUST to pick a port which no applications on endpoints is running, then click Continue.

Notes:

  • This step is only shown if you have not enabled cross-domain API setting.

  • The cross-domain API setting here is same as the cross-domain API settings at Settings > Integrations . You can modify the port later at Settings > Integrations.

  • You couldn't disable this setting until you disable Access Control.

images/download/attachments/5105013/image2020-9-29_22-53-49.png

6. Provide IdP where your application is set up

  • Select Add new IdP if you have not added the IdP. You then need to fill in IdP info

    • IdP Name

    • IdP certificate: upload Okta certificate you downloaded in the step 1. Note that the certificate file is PEM format.

  • Select Choose from existing IdPs if you already added the IdP

images/download/attachments/5105013/Select_IdP.PNG

7. Click Continue

8. Fill in the application information

  • Application: application name, for example: Salesforce

  • IdP login URL: an URL IdP generates for your app when you configure single sign on

  • Application Login URL: an post-back single sign on URL or Assertion Consumer Service (ACS) URL of the application which you have from Step 2.

  • Application Logout URL (optional): application logout URL which you have from Step 3. MetaAccess uses this URL to kick a user of the application when a device doesn't allow to access the application based on access rules you configure in Step 3. Configure Access Rules.

  • Android Package Name and iOS App URL schema: to identify an app on Android so that MetaAccess can redirect end-users back. You can check out a guideline here to know how to get these information.

  • Access Mode(*): pick an access mode you prefer.

    • Disable mode: MetaAccess always allows all devices to access the application. No access log is recorded for this mode.

    • Monitor mode: MetaAccess always allows all devices to access the application. Beside that, MetaAccess processes access rules (see details at Step 3. Configure Access Rules) on your account to check what action (Block/Allow) will be applied to the device if you change the application mode to Enforce mode. An access log will be generated as Monitored (Allow) or Monitored (Block) based on the previous check.

    • Enforce mode: MetaAccess processes access rules (see details at Step 3. Configure Access Rules) on your account to check what action will be applied to the device.

      • If the action is Allow, MetaAccess allows the device to access the application and records an access log with an action as Allowed.

      • If the action is Block, MetaAccess blocks the device from accessing the application and records an access log with an action as Blocked. The user will get a page to tell why he/she is blocked from accessing the application.

  • Check " Allow MetaAccess to record a user who is using a device to access an application" to allow MetaAccess record users who are using devices to access cloud applications. By this way, MetaAccess can help you address the complex BYOD ownership problem by showing the user identity such like application username with each device they use when accessing cloud applications, increasing unmanaged device control without requiring any IT infrastructure changes, network traffic manipulation, or mobile device management (MDM).

  • Enter your PIN

  • click SAVE

images/download/attachments/5105013/image2020-9-29_23-0-6.png

9. After saving your changes successfully, the system will show you steps to completely protect your application. You should copy a URL MetaAccess generates for your application and store it for later use. This URL is used to replace a login URL of the application on IdP console in Step 4. Update Applications settings on Identity Provider

(*) MetaAccess always check if an user authentication result comes from a trusted IdP by using the X.509 certificate you uploaded for the IdP. If it comes from an untrusted IdP, MetaAccess doesn't allow the user log into your application.