This page describes how to configure CloudGuard SaaS to work with Okta as an Identity Provider and Microsoft Office 365. After the configuration is finished, all login requests to Office 365 will go through CloudGuard SaaS Authentication Service.
Table of Contents:
#1 - This procedure will impact all Office 365 users in your domain; it cannot be done only for specific user groups.
#2 - The change of Identity Provider for Office 365 might take up to 2 hours to propagate to all Microsoft datacenters. Click here for more information.
#3 - Besides the configuration described in this article, you need to associate Microsoft Office 365 to CloudGuard SaaS in order to synchronize your users. This is done under Identity Protection\Configuration\SaaS Applications. Please consult the Identity Protection admin guide, section Getting Started - Initial Configuration, for more details.
- Machine with PowerShell running on one of the following 64-bit versions of Windows: Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1.
- Microsoft Azure Active Directory Module for Windows PowerShell (presence of module will be automatically verified by the script run in step 2.j (Office 365 configuration)).
- Administrator access to Okta and Office 365
Add and Configure Okta as an Identity Provider
- Log into CloudGuard SaaS portal and go to Configuration under the module Identity Protection. Under the tab Identity Providers, click on Add Identity Provider.
- In the wizard that opens, select Okta and click Next.
- Enter your domain name and click Next.
- Copy the Entity ID and the Reply URL to a text file and save them for later. Click Next.
- Log in to your Okta organization as an administrator and open an Office 365 user's profile.
- Scroll down to the field ImmutableId . You should verify that the field mapped to ImmutableId returns an actual value. Copy the field name and keep it for later.
- In the Okta administrative portal, under Applications, click Add Applications and Create New App.
- In the dialog that opens, select the SAML 2.0 option and click Create.
- In Section 1, General Settings, enter 'CloudGuard SaaS - Authentication Service' in the App name field. Click Next.
- In Section 2 'Configure SAML', Part A 'SAML Settings', fill in the Single sign on URL and Audience URI (SP Entity ID) fields respectively with the Reply URL and the Entity ID URL copied in step 4 from the CloudGuard SaaS portal.
For Name ID format, select Persistent.
- In the Attribute Statements section, add 2 attribute statements (both in format URI reference).
a. Name: /claims/emailaddress
b. Name: /ImmutableId
Value: user.<field mapped to ImmutableId> (Field copied in step 6 from the user profile in Okta)
- Finally, select 'I am an Okta customer adding an internal app' and 'This is an internal app that we have created'. Click Finish.
- Download Identity Provider metadata. Right click on the blue link 'Identity Provider metadata' and choose Save link as.
- In CloudGuard SaaS portal, upload the metadata xml file in the Add Identity provider Wizard. Click Next.
- Assign the newly created app to all Office 365 users in Okta. Then, click the Connect button in the Add Identity Provider wizard. This will open an Okta login form where you are prompted to enter your email address and password. After validation, you should see a Login Success message.
Configure Office 365 to use CloudGuard SaaS Authentication Service as Identity Provider
- In the CloudGuard SaaS portal, navigate to Configuration under Identity Protection. In the box corresponding to the Okta Identity Provider you just configured, click on Click to add SaaS.
- In the wizard that opens, select Office 365 and click Next.
- Entity ID and Reply URL are pre-filled. Click Next.
- Download certificate and click Finish to save and close the wizard.
- Download script from this link.
Extract the zip file to a folder. In that same folder, paste the certificate downloaded from the portal in previous step.
- Open Windows PowerShell, run as administrator and navigate to the path of the extracted folder.
- Execute the following command in order to bypass script execution policy bypass script execution policy for the current PowerShell session only:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Before continuing to the next step, please make sure that you are familiar with the commands to revert the changes if necessary (i.e. configure Office 365 to directly use Okta as Identity Provider. See this link for reference).
- Run PowerShell script downloaded in step 6:
.\office365_auth_service_sso.ps1 -domain <domain_name> -entity <entity_id>
You will be prompted to log into Office 365 with administrator credentials.
After executing this script, Office 365 will be configured to use CloudGuard SaaS Authentication Service as an Identity Provider for all users.
- You're done! All login requests to Office 365 will now go through CloudGuard SaaS Authentication Service. Login events will be shown in the CloudGuard SaaS portal under Identity Protection\Events.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.