Step 2. Import Identity Providers and Applications

This steps provides MetaAccess what Identity Provider (IdP) you want to integrate with and what applications you want to enforce device posture check before granting the device to access the applications. Once you integrate with MetaAccess, your IdP will forward user authentication result to MetaAccess after a user logs in successfully for checking device posture. Every request MEM receives, it will verify if the request comes from a trusted IdP before enforcing device posture check to grant an access to a specified application. Once again, MetaAccess only processes requests if Access Control is enable.

We support most Identity Providers who support SAML SSO, for example: Okta, Ping Identity, Centrify, OneLogin,... and applications which supports SAML SSO.

In this step, you need to collect the following information from your IdP and Single Sign-on settings of the applications:

  1. IdP certificate which you can get from IdP metadata

  2. Application information: log in URL, log out URL

1. Download IdP certificate

The next step is importing an IdP X.509 certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP. Each identity provider has a unique X.509 certificate for your account. You can find this certificate from metadata of the IdP on single sign-on setup instructions.

images/download/attachments/34554848/image2017-9-11_14-2-6.png

2. Collect Login URL of the application

Each application has a unique Assertion Consumer Service (ACS) URL (OR post back single sign on URL) to authenticate users signing through a third-party identity provider. MetaAccess uses this URL to forward the authentication message from IdP to the application after checking device posture passed.

You are able to find the Login URL of the application from a guideline to configure single sign-on settings for the application.

Or you can figure it out from the application settings on the IdP console.

images/download/attachments/34554848/image2017-8-30_13-36-56.png


3. Collect IdP SSO log in URL

IdP generates a unique SSO log in URL for each application when you set up SSO for an application. MetaAccess uses this URL to let a user log into the application when a device is granted temporary access.

images/download/attachments/34554848/image2018-5-23_16-12-8.png

4. Collect Logout URL of the application

Each application has a unique Logout URL to terminate a user session only for that application. MetaAccess uses this URL to kick users out if a device is blocked from access the application

You are able to find the Logout URL of the application when you log in to the application. Some application put the logout URL on the Logout button or link and you just simply copy the link.

images/download/attachments/34554848/image2017-8-30_13-53-19.png

4. Add Identity Provider (IdPs) settings to MetaAccess

  1. Login to the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP. If you already import your IdP settings on your MetaAccess account, go to 5 to add applications.

  4. Fill in required fields for the Identity Provider

    1. IdP Name: an IdP name, for example: Okta

    2. IdP Certificate: upload Okta certificate you downloaded in the step 1. Note that the certificate file is PEM format.

      images/download/attachments/34554848/image2018-3-2_11-39-14.png

  5. Click Add IDP

  6. Click SAVE

5. Add Applications

  1. Expand the IdP settings you have just added in Step 4 above.

  2. Click Add New Application

  3. Enter required field

    1. Application: application name, for example: Salesforce

    2. IdP login URL: an URL IdP generates for your app when you configure single sign on

    3. Application Login URL: an post-back single sign on URL or Assertion Consumer Service (ACS) URL of the application which you have from Step 2.

    4. Application Logout URL (optional): application logout URL which you have from Step 3. MetaAccess uses this URL to kick a user of the application when a device doesn't allow to access the application based on access rules you configure in Step 3. Configure Access Rules.

    5. Android Package Name and iOS App URL schema: to identify an app on Android so that MetaAccess can redirect end-users back. You can check out a guideline here to know how to get these information.

    6. Access Mode(*): pick an access mode you prefer.

      1. Disable mode: MetaAccess always allows all devices to access the application. No access log is recorded for this mode.

      2. Monitor mode: MetaAccess always allows all devices to access the application. Beside that, MetaAccess processes access rules (see details at Step 3. Configure Access Rules) on your account to check what action (Block/Allow) will be applied to the device if you change the application mode to Enforce mode. An access log will be generated as Monitored (Allow) or Monitored (Block) based on the previous check.

      3. Enforce mode: MetaAccess processes access rules (see details at Step 3. Configure Access Rules) on your account to check what action will be applied to the device.

        • If the action is Allow, MetaAccess allows the device to access the application and records an access log with an action as Allowed.

        • If the action is Block, MetaAccess blocks the device from accessing the application and records an access log with an action as Blocked. The user will get a page to tell why he/she is blocked from accessing the application.

          images/download/attachments/34554848/image2018-7-31_15-19-44.png

  4. Click SAVE

  5. After saving your changes sucessfully, click the Setup Instruction button of the application you have just added to view a MetaAccess URL. This URL is used to replace a login URL of the application on IdP console in Step 4. Update Applications settings on Identity Provider

You can add applications (step 5) when you add an IdP in step 4. You are also able to add more applications later.

(*) MetaAccess always check if an user authentication result comes from a trusted IdP by using the X.509 certificate you uploaded for the IdP. If it comes from an untrusted IdP, MetaAccess doesn't allow the user log into your application.