tech note--configuring reverse proxy for office 365 with okta
TRANSCRIPT
Tech Note--Configuring
Reverse Proxy for Office 365
with Okta
Symantec CloudSOC Tech Note
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 2
Copyright statement Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of
Broadcom.
The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information,
please visit www.broadcom.com.
Broadcom reserves the right to make changes without further notice to any products or data
herein to improve reliability, function, or design. Information furnished by Broadcom is believed
to be accurate and reliable. However, Broadcom does not assume any liability arising out of the
application or use of this information, nor the application or use of any product or circuit
described herein, neither does it convey any license under its patent rights nor the rights of
others.
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 3
Table of Contents
Introduction
Prerequisites
Gather information in CloudSOC
Configure reverse proxy in Okta
Create a custom attribute and assign it to the Okta user profile
Create a custom SAML app in Okta
Federate Okta with CloudSOC and Office 365
Configure IDP metadata in CloudSOC
Revision history
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 4
Introduction
This Tech Note describes how to configure the Office 365 Gatelet reverse proxy features
using Okta as an IDP.
Reverse proxy forwards all traffic tracked by the CloudSOC Office 365 Gatelet to the
CloudSOC Gateway for monitoring, even traffic originating from devices that do not have
either Reach agent or the CloudSOC PAC file installed.
Prerequisites
You must already have configured:
● Okta as your identity provider (IDP)
● AD server as your directory source
● Okta - AD sync on the AD server to sync directory with Okta.
● Azure AD Connect to sync your AD to Microsoft Azure AD (Office 365)
● SpanVA to sync AD users to CloudSOC as described in the CloudSOC Tech Note
Configuring DSS Directory Sync
● An onmicrosoft account for admin access
Gather information in CloudSOC
1. In CloudSOC, select Store.
2. In the Gatelets area of the Store page, click See all.
3. Hover over the Office 365 tile and select Activate with Reverse Proxy.
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 5
4. On the Configure SAML Federation box, copy the following URLs and paste them
into a text document:
● SSO Post URL
● Issuer URL (Entity ID)
5. Proceed to the procedures in Configure reverse proxy in Okta.
Configure reverse proxy in Okta
Perform the steps in the following sections after you download the necessary metadata
from the CloudSOC Store.
Create a custom attribute and assign it to the Okta user profile
1. In Okta, if you are using the Developer Console, open the Classic UI as shown in the
following. Some of the tools you use to configure CloudSOC reverse proxy are
absent or difficult to find in the Developer Console.
2. Select Directory, and then select Profile Editor to open the Profile Editor.
3. Next to the Okta user, click Profile as shown in the following.
4. At the top of the Attributes list, click Add Attribute and create a new attribute with
the following variable name:
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 6
office365_immutableId
Give the new attribute a description if you want, but leave all other attribute settings
at their defaults.
5. Click Save to create the new attribute.
6. Select Directory, and then select Directory Integrations to Navigate to Directory
Integrations.
7. Click the entry for your Active Directory as shown in the following.
8. Click the Settings tab as shown in the following.
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 7
9. Scroll down to the Profile Attributes and Mappings area near the bottom of the
page, and in the Attribute Mappings area, click Edit Mappings as shown in the
following.
10. For Active Directory to Okta, create the following mapping as shown in the
following:
appuser.externalId office365_immutableId
11. Scroll to the top of the page and click Directory, and then selectDirectory
Integrations and click Active Directory.
12. Click the Import tab, then click Import Now as shown in the following.
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 8
13. Select Incremental or Full import at your discretion, then click Import as shown in
the following.
14. Scroll to the top of the page and click the People tab.
15. Click any active user, then click the Profile tab.
16. Scroll to the bottom of the Attributes table and check that the
office365_immutableId attribute is populated with a value as shown in the
following.
17. Scroll down to the Additional Active Directory Attributes area, and check that the
Object GUID is populated with the same value as the office365_immutableId
attribute, as shown in the following.
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 9
Create a custom SAML app in Okta
1. Navigate to Applications, and then select Applications, then click Add Application
as shown in the following.
2. Click Create New App as shown in the following.
3. For Platform, click Web, mark the SAML2.0 radio button, then click Create.
4. Configure the following General Settings, as shown in the following:
App Name Any convenient name, such as "Office 365 RP."
App Logo Leave blank
Do not display application icon to users
Mark
Do not display application icon in the Okta Mobile app
Clear (unchecked)
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 10
5. Click Next.
6. Configure the following SAML settings, as shown in the following. Leave all other
settings in their default states:
Single sign on URL Paste the SSO Post URL you got from the CloudSOC Activate Reverse Proxy box.
Audience URI Paste the Issuer URL (Entity ID) you got from the CloudSOC Activate Reverse Proxy box.
7. In the Attribute Statements (Optional) area, add the following statement, as shown in
the following:
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 11
Name Name format Value
office365-nameID Unspecified user.office365_immutableId
8. Click Next.
9. On the Feedback page, mark the following buttons as shown in the following:
● I'm an Okta customer adding an internal app
● This is an internal app that we have created
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 12
10. Click Finish.
Okta redirects you to the Sign On tab for the app as shown in the following.
11. Right-click the link for Identity Provider metadata and select Copy Link Address, as
shown in the following.
12. Paste the metadata URL into the text file you use to record URLs.
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 13
13. Click the Assignments tab and assign the app to your users and groups.
Federate Okta with CloudSOC and Office 365
At an Azure PowerShell command prompt, use the following commands to federate Okta
with CloudSOC and Office 365:
1. Declare your credentials:
$UserCredential = Get-Credential
When prompted, enter the Office 365 credentials for the domain you want to
federate.
2. Login with your credentials:
Connect-MsolService -Credential $UserCredential
3. Determine the SLO URL from the SSO Post URL by finding and removing
"/bcsamlpost". For example, if the SSO Post URL you copied from the CloudSOC
Step 1 box is:
https://saml-proxy.edge-
mycompany.co/saml/casb_rp_samlrealm/bcsamlpost/proxy/5c5fb4…
The SLO URL would be:
https://saml-proxy.edge-
mycompany.co/saml/casb_rp_samlrealm/proxy/5c5fb4…
4. Declare the following variables:
$domain = <yourdomain>.com
$issuer = <Paste the Issuer URL (Entity ID) you copied from the CloudSOC Step 1 box>
$ssoUrl = <Paste the SSO Post URL you copied from the Step 1 box>
$sloUrl = <Paste the SLO URL you determined from the SSO Post URL>
$certificateFile = <Enter the location of the Federation Certificate file you
downloaded from the Step 1 box in the format "C:\rp\prod-cert.pem">
$certificate = [IO.File]::ReadAllText($certificateFile)
$certificate = $certificate.replace("-----BEGIN CERTIFICATE-----", "")
$certificate = $certificate.replace("-----END CERTIFICATE-----", "")
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 14
$certificate = $certificate.replace("\r", "")
$certificate = $certificate.replace("\n", "")
5. Federate OneLogin with CloudSOC and Office 365 using the declared variables:
Set-MsolDomainAuthentication -FederationBrandName $domain -
DomainName $domain -Authentication federated -
PreferredAuthenticationProtocol SAMLP -IssuerUri $issuer -
SigningCertificate $certificate -PassiveLogOnUri $ssoUrl -
LogOffUri $sloUrl
6. Verify domain federation settings:
Get-MsolDomainFederationSettings -Domain $domain
PowerShell responds with the federation details as shown in the followin example.
PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName
"tryelasticarpqa2.com"
ActiveLogOnUri :
DefaultInteractiveAuthenticationMethod :
FederationBrandName : tryelasticarpqa2.com
IssuerUri : https://saml-proxy.edge-eoe.elastica-inc.com
/saml/casb_rp_samlrealm/5c5fb480d0
034c56ac952ee889501560_tryelasticarpqa2com
LogOffUri : https://saml-proxy.edge-eoe.elastica-inc.com
/saml/casb_rp_samlrealm/proxy/5c5f
b480d0034c56ac952ee889501560_tryelastica
rpqa2com
MetadataExchangeUri :
NextSigningCertificate :
OpenIdConnectDiscoveryEndpoint :
PassiveLogOnUri : https://saml-proxy.edge-eoe.elastica-inc.com/
saml/casb_rp_samlrealm/bcsamlpost/proxy/
5c5fb480d003 4c56ac952ee889501560
_tryelasticarpqa2com
SigningCertificate : MIIGKjCCBBKgAwIBAgIJAN/UsSKVumt1MA0GCSq
GSIb3DQEBBQUAMGsxCzAJBgNVBAYTAkFVMRMwEQ
YDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExh
JbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxJDAiBg
NVBAMUGyouZWRnZS1lb2UuZWxhc3RpY2Eta...
SupportsMfa :
Configure IDP metadata in CloudSOC
1. In CloudSOC, navigate back to Store, then select Gatelets, and then select Office
365.
2. Click Activate with Reverse Proxy.
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 15
3. Click Next: Provide SSO Provider Metadata.
4. In the Metadata from your SSO Provider area, click Metadata URL.
5. Paste the link address for the identity provider metadata you copied from Okta in
the section Create a custom SAML App in Okta as shown in the following.
6. Click Complete Activation.
7. Wait a few minutes, then check the Office 365 Gatelet tile in the store to make sure
reverse proxy is enabled as shown in the following.
Revision history
Date Version Description
27 September 2018 1.0 Initial release
Tech Note--Reverse Proxy for Office 365 with Okta
Copyright © 2020 Symantec Corp. 16