This page describes how to configure CloudGuard SaaS to work with Okta as an Identity Provider and G Suite as Service Provider. After the configuration is finished, all login requests to G Suite will go through CloudGuard SaaS Authentication Service.
Table of Contents:
#1 - This procedure will impact all G Suite users in your domain; it cannot be done only for specific user groups.
#2 - The change of Identity Provider in G Suite takes effect immediately.
#3 - Besides the configuration described in this article, you need to associate G Suite to CloudGuard SaaS in order to synchronize your users. This is done under Identity Protection\Configuration\SaaS Applications. Please consult the Identity Protection Admin Guide, section Getting Started - Initial Configuration, for more details.
Administrator privileges to Okta and G Suite are required for the following procedure.
Add and Configure Okta as an Identity Provider
- Log into CloudGuard SaaS portal and go to Configuration under the module Identity Protection. Under the tab Identity Providers, click on Add Identity Provider.
- In the wizard that opens, select Okta and click Next.
- Enter your domain name and click Next.
- Copy the Entity ID and the Reply URL to a text file and save them for later. Click Next.
- Log in to your Okta organization as an administrator. Under Applications, click Add Applications and Create New App.
- In the dialog that opens, select the SAML 2.0 option and click Create.
- In Section 1, General Settings, enter 'CloudGuard SaaS - Authentication Service' in the App name field. Click Next.
- In Section 2 'Configure SAML', Part A 'SAML Settings', fill in the Single sign on URL and Audience URI (SP Entity ID) fields respectively with the Reply URL and the Entity ID URL copied in step 4 from the CloudGuard SaaS portal.
For Name ID format, select Persistent.
- In the Attribute Statements section, add the following attribute statement (in format URI reference).
- Finally, select 'I am an Okta customer adding an internal app' and 'This is an internal app that we have created'. Click Finish.
- Download Identity Provider metadata. Right click on the blue link 'Identity Provider metadata' and choose Save link as. Add the extension .xml to the file name before saving.
- In CloudGuard SaaS portal, upload the metadata xml file in the Add Identity provider Wizard. Click Next.
- Assign the newly created app to all G Suite users in Okta. Then, click the Connect button in the Add Identity Provider wizard. This will open an Okta login form where you are prompted to enter your email address and password. After validation, you should see a Login Success message.
Configure G Suite to use CloudGuard SaaS Authentication Service as Identity Provider
- In the CloudGuard SaaS portal, navigate to Configuration under Identity Protection. In the box corresponding to the Okta Identity Provider you just configured, click on Click to add SaaS.
- In the wizard that opens, select G Suite and click Next.
- Entity ID and Reply URL are pre-filled. Click Next.
- Copy and paste the Sign-in page URL and the Sign-out page URL to a text file and save for later. Download the certificate and click Finish to save and close the wizard.
- Log into the G Suite admin console. Click on Security.
- Scroll down to section 'Set up single sign on (SSO)' and expand it.
- Check the boxes 'Setup SSO with third party identity provider' and 'Use a domain specific issuer'.
- Upload the certificate downloaded in step 4 from the CloudGuard SaaS portal.
We recommend doing this before filling out the Sign-in page and Sign-out page URLs due to a randomly observed Google behavior that clears out the URLs after uploading the certificate.
- Fill out the Sign-in page URL and Sign-out page URL with the URLs provided by the Add Service Provider wizard in step 4.
You can leave empty the Change password URL. Click Save.
- You're done! All login requests to G Suite will now go through CloudGuard SaaS Authentication Service before reaching Okta. Login events will be shown in the CloudGuard SaaS portal under Identity Protection\Events.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.