Add Unsanctioned Device Access Control to Aperture

Use the next generation firewall to control unsanctioned device access by configuring Aperture as a SAML proxy.
You can control unmanaged and employee-owned device access to your sanctioned SaaS applications by configuring the Aperture service as your SAML proxy. Unsanctioned device access control utilizes SAML redirection by proxy by redirecting traffic through your next generation firewall, decreasing vulnerability to data exfiltration and malware propagation. When an employee needs to access a SaaS app on an unmanaged computer or mobile device, the authorization request is sent through the Aperture SAML proxy and authenticated by your Identity Provider. Once authenticated, the user is redirect through the firewall allowing visibility into access and control of corporate resources on your SaaS app.
There are several options available for an Identity Provider (IDP) and Service Provider (SP) but an integration with Okta as the Identity Provider and G Suite as the SaaS application (Service Provider) are used as an example.
Step
Details
unsanctioned-device-access-control-aperture-logo.png
Create an Aperture app on the Identity Provider.
An Aperture application integration with the IDP allows you to authenticate requests to sanctioned SaaS applications from unmanaged devices.
unsanctioned-device-access-control-cloud-sp.png
Add the Identity Provider on Aperture.
Configure the IDP on Aperture to authenticate access using SAML Proxy 2.0.
unsanctioned-device-access-control-managed-sp.png
Create a Service Provider app on the Identity Provider.
A SaaS app (Service Provider) integration with the IDP authenticates user requests before granting access to SaaS application resources. An app integration for each SaaS application must be created on the IDP.
unsanctioned-device-access-control-service-provider.png
Add the Service Provider on Aperture.
Configure the SaaS application on the Aperture service to authenticate the user and redirect traffic to your firewall. Each SaaS application you want to control access to must be configured on Aperture.
unsanctioned-device-access-control-third-party.png
Configure the Identity Provider on the Service Provider.
Configure the IDP on the SP to establish a trusted relationship to identify a user, grant access and authenticate an Aperture session to redirect the traffic through the next generation firewall.
unsanctioned-device-access-control-clientless-vpn.png
Configure the Clientless VPN on your firewall.
Configure Aperture on your Clientless VPN to redirect the remote users’ authentication request and application traffic through the firewall.
unsanctioned-device-access-control-firewall.png
Configure the gateway settings for the firewall on Aperture.
Configure the firewall portal settings on Aperture to create a trusted relationship between the firewall and the Aperture service. The portal settings can also be configured to use your domain, IP address, combination of domains or IP addresses or a configured GlobalProtect Cloud Service.

Related Documentation