This page describes how to configure CloudGuard SaaS to work with Microsoft Azure AD as an Identity Provider and G Suite as a Service Provider. After the configuration is finished, all login requests to G Suite will go through the CloudGuard SaaS Authentication Service.
Table of Contents:
- This procedure will impact all G Suite users in your domain; it cannot be done only for specific user groups.
- The change of Identity Provider in G Suite takes effect immediately.
- Besides the configuration described in this article, you need to associate G Suite to CloudGuard SaaS in order to synchronize your users. This is done under Identity Protection\Configuration\SaaS Applications. Please consult the Identity Protection Admin Guide, section Getting Started - Initial Configuration, for more details.
- Administrator privileges in Microsoft Azure AD and G Suite
- Premium subscription to Microsoft Azure AD
Add and Configure Azure AD as an Identity Provider
- Log into CloudGuard SaaS portal and go to Configuration under the module Identity Protection. Under the tab Identity Providers, click on Add Identity Provider.
- A wizard will open. Select Microsoft Azure AD and click Next.
- Enter your domain name and click Next.
- Copy the Entity ID and the Reply URL to a text file and save them for later. Click Next.
- Log into the Microsoft Azure AD admin console (https://portal.azure.com). In the left pane, click on Azure Active Directory.
- In the sub menu bar, click on Enterprise Applications.
- Click on New Application.
- Choose to create a Non-gallery application. Give a display name to your new application, for example 'CGS Authentication Service'. Click Add.
- You will be redirected to the new Application dashboard. Navigate to the menu item Single sign-on and select SAML as the SSO method.
- The SAML configuration page will now open. In section 1, Basic SAML Configuration, click the pencil icon to edit.
- In Identifier and Reply URL, paste, respectively, the Entity ID and Reply URL copied from the CloudGuard SaaS portal in step # 4. Click Save and then close.
- In section 3, SAML Signing Certificate, download the federation metadata xml file.
- Go back to the Add Identity Provider wizard in CloudGuard SaaS and upload the metadata file just downloaded from the Azure AD management console. Click Next.
- In the Azure AD management console, navigate to Users and groups and click Add user.
- Select all your G Suite users and click Select and then Assign.
- Sign out from the Azure AD management console. Then, go back to the Add Identity Provider wizard in CloudGuard SaaS and click the button Check Connectivity. This will open an Azure AD login form where you will be prompted to enter your email address and password. After validation, you should see a Login Success message.
Configure G Suite to use CloudGuard SaaS Authentication Service as an Identity Provider
- In the CloudGuard SaaS portal, navigate to Configuration under Identity Protection. In the box corresponding to the Azure AD Identity Provider you just configured, click on Click to add SaaS.
- A wizard will now open. Select G Suite and click Next.
- Entity ID and Reply URL are pre-filled. Click Next.
- Copy and paste the Sign-in page URL and the Sign-out page URL to a text file and save for later. Download the certificate and click Finish to save and close the wizard.
- Log into the G Suite admin console. Click on Security.
- Scroll down to section Set up single sign on (SSO) and expand it.
- Check the boxes Setup SSO with third party identity provider and Use a domain specific issuer.
- Upload the certificate downloaded in step 4 from the CloudGuard SaaS portal. We recommend doing this before filling out the Sign-in page and Sign-out page URLs due to a randomly observed Google behavior that clears out the URLs after uploading the certificate.
- Fill out the Sign-in page URL and the Sign-out page URL with the URLs provided by the Add Service Provider wizard in step 4. You can leave empty the Change password URL. Click Save.
- All login requests to G Suite will now go through the CloudGuard SaaS Authentication Service before reaching the Azure AD. Login events will be shown in the CloudGuard SaaS portal under Identity Protection\Events.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.