tech note--configuring reverse proxy for office 365 with okta

Tech Note--Configuring

Reverse Proxy for Office 365

with Okta

Symantec CloudSOC Tech Note

Tech Note--Reverse Proxy for Office 365 with Okta

Copyright © 2020 Symantec Corp. 2

Copyright statement Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of

Broadcom.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information,

please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data

herein to improve reliability, function, or design. Information furnished by Broadcom is believed

to be accurate and reliable. However, Broadcom does not assume any liability arising out of the

application or use of this information, nor the application or use of any product or circuit

described herein, neither does it convey any license under its patent rights nor the rights of

others.

http://www.broadcom.com/

http://www.broadcom.com/



Table of Contents

Introduction

Prerequisites

Gather information in CloudSOC

Configure reverse proxy in Okta

Create a custom attribute and assign it to the Okta user profile

Create a custom SAML app in Okta

Federate Okta with CloudSOC and Office 365

Configure IDP metadata in CloudSOC

Revision history



Introduction

This Tech Note describes how to configure the Office 365 Gatelet reverse proxy features

using Okta as an IDP.

Reverse proxy forwards all traffic tracked by the CloudSOC Office 365 Gatelet to the

CloudSOC Gateway for monitoring, even traffic originating from devices that do not have

either Reach agent or the CloudSOC PAC file installed.

Prerequisites

You must already have configured:

● Okta as your identity provider (IDP)

● AD server as your directory source

● Okta - AD sync on the AD server to sync directory with Okta.

● Azure AD Connect to sync your AD to Microsoft Azure AD (Office 365)

● SpanVA to sync AD users to CloudSOC as described in the CloudSOC Tech Note

Configuring DSS Directory Sync

● An onmicrosoft account for admin access

Gather information in CloudSOC

1. In CloudSOC, select Store.

2. In the Gatelets area of the Store page, click See all.

3. Hover over the Office 365 tile and select Activate with Reverse Proxy.



4. On the Configure SAML Federation box, copy the following URLs and paste them

into a text document:

● SSO Post URL

● Issuer URL (Entity ID)

5. Proceed to the procedures in Configure reverse proxy in Okta.

Configure reverse proxy in Okta

Perform the steps in the following sections after you download the necessary metadata

from the CloudSOC Store.

Create a custom attribute and assign it to the Okta user profile

1. In Okta, if you are using the Developer Console, open the Classic UI as shown in the

following. Some of the tools you use to configure CloudSOC reverse proxy are

absent or difficult to find in the Developer Console.

2. Select Directory, and then select Profile Editor to open the Profile Editor.

3. Next to the Okta user, click Profile as shown in the following.

4. At the top of the Attributes list, click Add Attribute and create a new attribute with

the following variable name:



office365_immutableId

Give the new attribute a description if you want, but leave all other attribute settings

at their defaults.

5. Click Save to create the new attribute.

6. Select Directory, and then select Directory Integrations to Navigate to Directory

Integrations.

7. Click the entry for your Active Directory as shown in the following.

8. Click the Settings tab as shown in the following.



9. Scroll down to the Profile Attributes and Mappings area near the bottom of the

page, and in the Attribute Mappings area, click Edit Mappings as shown in the

following.

10. For Active Directory to Okta, create the following mapping as shown in the

following:

appuser.externalId office365_immutableId

11. Scroll to the top of the page and click Directory, and then selectDirectory

Integrations and click Active Directory.

12. Click the Import tab, then click Import Now as shown in the following.



13. Select Incremental or Full import at your discretion, then click Import as shown in

the following.

14. Scroll to the top of the page and click the People tab.

15. Click any active user, then click the Profile tab.

16. Scroll to the bottom of the Attributes table and check that the

office365_immutableId attribute is populated with a value as shown in the

following.

17. Scroll down to the Additional Active Directory Attributes area, and check that the

Object GUID is populated with the same value as the office365_immutableId

attribute, as shown in the following.



Create a custom SAML app in Okta

1. Navigate to Applications, and then select Applications, then click Add Application

as shown in the following.

2. Click Create New App as shown in the following.

3. For Platform, click Web, mark the SAML2.0 radio button, then click Create.

4. Configure the following General Settings, as shown in the following:

App Name Any convenient name, such as "Office 365 RP."

App Logo Leave blank

Do not display application icon to users

Mark

Do not display application icon in the Okta Mobile app

Clear (unchecked)



5. Click Next.

6. Configure the following SAML settings, as shown in the following. Leave all other

settings in their default states:

Single sign on URL Paste the SSO Post URL you got from the CloudSOC Activate Reverse Proxy box.

Audience URI Paste the Issuer URL (Entity ID) you got from the CloudSOC Activate Reverse Proxy box.

7. In the Attribute Statements (Optional) area, add the following statement, as shown in

the following:



Name Name format Value

office365-nameID Unspecified user.office365_immutableId

8. Click Next.

9. On the Feedback page, mark the following buttons as shown in the following:

● I'm an Okta customer adding an internal app

● This is an internal app that we have created



10. Click Finish.

Okta redirects you to the Sign On tab for the app as shown in the following.

11. Right-click the link for Identity Provider metadata and select Copy Link Address, as

shown in the following.

12. Paste the metadata URL into the text file you use to record URLs.



13. Click the Assignments tab and assign the app to your users and groups.

Federate Okta with CloudSOC and Office 365

At an Azure PowerShell command prompt, use the following commands to federate Okta

with CloudSOC and Office 365:

1. Declare your credentials:

$UserCredential = Get-Credential

When prompted, enter the Office 365 credentials for the domain you want to

federate.

2. Login with your credentials:

Connect-MsolService -Credential $UserCredential

3. Determine the SLO URL from the SSO Post URL by finding and removing

"/bcsamlpost". For example, if the SSO Post URL you copied from the CloudSOC

Step 1 box is:

https://saml-proxy.edge-

mycompany.co/saml/casb_rp_samlrealm/bcsamlpost/proxy/5c5fb4…

The SLO URL would be:

https://saml-proxy.edge-

mycompany.co/saml/casb_rp_samlrealm/proxy/5c5fb4…

4. Declare the following variables:

$domain = <yourdomain>.com

$issuer = <Paste the Issuer URL (Entity ID) you copied from the CloudSOC Step 1 box>

$ssoUrl = <Paste the SSO Post URL you copied from the Step 1 box>

$sloUrl = <Paste the SLO URL you determined from the SSO Post URL>

$certificateFile = <Enter the location of the Federation Certificate file you

downloaded from the Step 1 box in the format "C:\rp\prod-cert.pem">

$certificate = [IO.File]::ReadAllText($certificateFile)

$certificate = $certificate.replace("-----BEGIN CERTIFICATE-----", "")

$certificate = $certificate.replace("-----END CERTIFICATE-----", "")



$certificate = $certificate.replace("\r", "")

$certificate = $certificate.replace("\n", "")

5. Federate OneLogin with CloudSOC and Office 365 using the declared variables:

Set-MsolDomainAuthentication -FederationBrandName $domain -

DomainName $domain -Authentication federated -

PreferredAuthenticationProtocol SAMLP -IssuerUri $issuer -

SigningCertificate $certificate -PassiveLogOnUri $ssoUrl -

LogOffUri $sloUrl

6. Verify domain federation settings:

Get-MsolDomainFederationSettings -Domain $domain

PowerShell responds with the federation details as shown in the followin example.

PS C:\Users\Administrator> Get-MsolDomainFederationSettings -DomainName

"tryelasticarpqa2.com"

ActiveLogOnUri :

DefaultInteractiveAuthenticationMethod :

FederationBrandName : tryelasticarpqa2.com

IssuerUri : https://saml-proxy.edge-eoe.elastica-inc.com

/saml/casb_rp_samlrealm/5c5fb480d0

034c56ac952ee889501560_tryelasticarpqa2com

LogOffUri : https://saml-proxy.edge-eoe.elastica-inc.com

/saml/casb_rp_samlrealm/proxy/5c5f

b480d0034c56ac952ee889501560_tryelastica

rpqa2com

MetadataExchangeUri :

NextSigningCertificate :

OpenIdConnectDiscoveryEndpoint :

PassiveLogOnUri : https://saml-proxy.edge-eoe.elastica-inc.com/

saml/casb_rp_samlrealm/bcsamlpost/proxy/

5c5fb480d003 4c56ac952ee889501560

_tryelasticarpqa2com

SigningCertificate : MIIGKjCCBBKgAwIBAgIJAN/UsSKVumt1MA0GCSq

GSIb3DQEBBQUAMGsxCzAJBgNVBAYTAkFVMRMwEQ

YDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExh

JbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxJDAiBg

NVBAMUGyouZWRnZS1lb2UuZWxhc3RpY2Eta...

SupportsMfa :

Configure IDP metadata in CloudSOC

1. In CloudSOC, navigate back to Store, then select Gatelets, and then select Office

365.

2. Click Activate with Reverse Proxy.



3. Click Next: Provide SSO Provider Metadata.

4. In the Metadata from your SSO Provider area, click Metadata URL.

5. Paste the link address for the identity provider metadata you copied from Okta in

the section Create a custom SAML App in Okta as shown in the following.

6. Click Complete Activation.

7. Wait a few minutes, then check the Office 365 Gatelet tile in the store to make sure

reverse proxy is enabled as shown in the following.

Revision history

Date Version Description

27 September 2018 1.0 Initial release

tech note--configuring reverse proxy for office 365 with okta

Documents