Table of Contents:
This article will show you how to configure CloudGuard SaaS to work with Centrify as an Identity Provider and Microsoft Office 365. After you complete the configuration, all login requests to Office 365 will go through CloudGuard SaaS Authentication Service.
- This procedure will impact all Office 365 users in your domain; it cannot be done for specific user groups only.
- Changing the Identity Provider for Office 365 might take up to 2 hours to propagate to all Microsoft datacenters. Click here for more information.
- Besides the configuration described in this article, you need to associate Microsoft Office 365 to CloudGuard SaaS in order to synchronize your users. This is done under Identity Protection\Configuration\SaaS Applications. Please consult the Identity Protection Admin Guide, section Getting Started - Initial Configuration, for more details.
- Machine with PowerShell running on one of the following 64-bit versions of Windows: Windows 10, Windows 8.1, Windows 8, Windows 7 Service Pack 1 (SP1), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1.
- Microsoft Azure Active Directory Module for Windows PowerShell (the presence of the module will be verified automatically by the script run in step 10 of the Office 365 configuration. If the module is missing, the script will provide installation instructions.
- Administrator access to Centrify and Office 365.
Add and configure Centrify as an Identity Provider
- Log into the Centrify Admin portal and create a new web application: under Apps, select Web Apps and click on Add Web Apps.
- In the pop-up that opens, select the Custom tab and scroll down to SAML. Click on Add and then Yes in the confirmation window. Then click Close.
- Edit the Name (e.g., CloudGuard SaaS - Authentication Service), Description and Category (Security) of the SAML App you created above and click Save.
- In the Trust section, under Identity Provider Configuration, download the metadata file. You will need to upload it later to the CloudGuard SaaS portal.
- Log into the CloudGuard SaaS portal and go to Configuration under the module Identity Protection. Under the tab Identity Providers, click on Add Identity Provider.
- In the wizard that opens, select Centrify and click Next.
- Enter your domain name and click Next.
- Copy the Entity ID and the Reply URL to a text file and save them for later. Click Next.
- Upload the metadata file you downloaded from the Centrify Admin Portal in Step 4. Click Next.
- Go to the Centrify Admin portal. In Web Apps, open your SAML Application. In the Trust section, under Service Provider Configuration, choose Manual Configuration. In the field SP Entity ID/Issuer/Audience, enter the Entity ID copied from the CloudGuard SaaS dashboard in step # 8. In the field Assertion Consumer Service (ACS) URL, enter the Reply URL copied from that same step # 8. Click Save.
- Scroll down to the field Name ID Format and select Persistent. Click Save.
- In the Permissions section, click Add and add the role configured for your Office 365 users. Click Add and then Save.
- In the Centrify Admin Portal, navigate to the SAML Response section of the Web App you added for CGS Authentication Service. Click Add and enter the following values:
Attribute Name: /claims/immutableid
Attribute Value: LoginUser.Base64EncodedGuid
- Sign out from the Centrify Admin Portal. Then, in the CloudGuard SaaS portal, click on Check Connectivity. This will open a Centrify login form which you will be prompted to enter an email address and password. After validation, you should see a Login Success message.
- Click Finish to save your Identity Provider configuration and then close the wizard.
Configure Office 365 to use CloudGuard SaaS Authentication Service as an Identity Provider
- In the CloudGuard SaaS portal, navigate to Configuration under Identity Protection. In the box corresponding to the AD FS Identity Provider you just configured, click on Click to add SaaS.
- In the wizard that opens, select Office 365 and click Next.
- Entity ID and Reply URL are pre-filled. Click Next.
- Download Certificate (do not edit the file name) and click Finish to save and close the wizard.
- Download the script from this link. Extract the zip file to a folder. In that same folder, paste the certificate downloaded from the portal in the previous step.
- Open Windows PowerShell, run it as an administrator, and navigate to the path of the extracted folder.
- Execute the following command in order to bypass script execution policy for the current PowerShell session only:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
- Run the PowerShell script downloaded in step # 5.
.\office365_auth_service_sso.ps1 -domain <domain_name> -entity <entity_id>
You will be prompted to log into Office 365 with global administrator credentials.
<entity_id> is the Entity ID URL copied in Step # 8 of the Add and Configure Centrify as an Identity Provider section. You can also find it by clicking on Edit on your Identity Provider in the CloudGuard SaaS portal.
After you execute this script, Office 365 will be configured to use CloudGuard SaaS Authentication Service as an Identity Provider for all users.
- You have now completed the configuration. All login requests to Office 365 will now go through CloudGuard SaaS Authentication Service. Login events will be shown in the CloudGuard SaaS portal under Identity Protection\Events.
Note: Due to a limitation on the side of Centrify, when trying to login to Office 365, users will enter their email in the Office 365 login page and will need to re-enter it in the Centrify login screen.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.