Configure Unsanctioned Device Access Control

Use the Aperture service as a SAML proxy between your Identity Provider and next generation firewall to control access to your sanctioned SaaS applications.
To control unmanaged and employee-owned device access to your sanctioned SaaS applications, add application integration on your Identity Provider for Aperture and your SaaS apps to authenticate access using SAML 2.0. Configure the Aperture service by adding your IDP SSO URL and configure each SaaS application to the same SSO URL for transparent and seamless experience. Once your IDP, Service Providers and Aperture are configured, add your next generation firewall on Aperture. Aperture offers the flexibility of adding portal settings using your domain, IP address, a combination of domains and IP addresses or your configured GlobalProtect Cloud Service.
You must be a Super Admin or Admin to configure SAML Proxy on Aperture.
This document details an example integration with Okta as the Identity Provider and G Suite as the Service Provider.
  1. Create an Aperture app on your Identity Provider.
    By creating an application integration for Aperture with your Identity Provider, you can control access to SaaS applications on unmanaged devices on external networks using SAML 2.0 protocol.
    1. Log in to your Okta organization using an account with administrative privileges.
      If you don’t have an Okta organization, you can create a free Okta developer edition organization.
    2. Create a new application integration by selecting AdminAdd ApplicationsCreate New AppSAML 2.0Create.
    3. Select SAML 2.0 and Create the application integration.
      saml-proxy-idp-create-app-integration.png
    4. Enter an App name for Aperture.
    5. (Optional) Upload an image for the App logo.
    6. (Optional) Select App visibility and click Next.
      saml-proxy-idp-app-settings-name.png
    7. Log in to Aperture, select SettingsSAML Proxy, and enable the feature.
    8. Click Add Identity Provider to gather the details to configure your IDP.
      saml-okta-create-application.png
    9. On the Okta SAML Settings screen, for Single sign on URL, enter the Aperture Assertion Consumer Service URL.
    10. For Audience URI (SP Entity ID), enter the Aperture IDP Entity ID.
    11. Configure your Default RelayState, Name ID format, and Application username, and click Next.
      saml-proxy-saml-settings-urls.png
    12. Enter optional Okta Support information and click Finish.
      saml-proxy-feedback.png
    13. Select AssignmentsAssign to add and manage people or groups.
      okta-aperture-assignments.png
  2. Add your Identity Provider on Aperture.
    Configure the IDP on the Aperture service to authenticate the user before redirecting access to the SaaS application through the firewall. Use the IDP SSO URL, Identity Provider Issuer and Certificate from Okta to configure the Identity Provider settings on Aperture.
    1. Log in to Okta, select AdminApplications and select your Aperture SAML 2.0 application.
    2. Select Sign OnView Setup Instructions.
      saml-proxy-okta-sign-on-instructions.png
    3. Locate the Okta SSO URL, IDP Entity ID and download the certificate to configure Aperture.
      When downloading the Okta X.509 certificate, you must change the .cert extension to either .cer or .crt file extension.
      okta-aperture-configuration.png
    4. Log in to Aperture, and select SettingsSAML ProxyAdd Identity Provider.
    5. Enter an IDP Name.
    6. Click Choose File and upload the Okta X.509 Certificate.
    7. For IDP Entity ID, enter the Okta Identity Provider Issuer.
    8. For SSO URL, enter the Okta Identity Provider Single Sign-On URL and Add the Identity Provider on Aperture.
      aperture-add-identity-provider.png
  3. Create a Service Provider app on your Identity Provider.
    Configure the SSO URL on your IDP for your SaaS app and IDP when you add an application integration, providing a transparent experience. When you add the SaaS application to your IPD, access is authenticated through the Aperture SAML proxy before redirecting traffic through the firewall. You need the Identity Provider Sign-in URL to direct users to sign in and the certificate from the IDP to validate SAML signatures when using SSO. Each SaaS application must be configured on your Identity Provider to control unmanaged device access.
    1. Log in to Okta, select AdminAdd Applications, and search for G Suite.
    2. Select G Suite and click Add.
    3. Enter an Application label.
    4. Enter Your Google Apps company domain and click Next.
      saml-proxy-okta-general-settings.png
    5. Select SAML 2.0 and click Done.
      okta-gsuite-creation.png
    6. Select AssignmentsAssign to add and manage people or groups.
      okta-gsuite-assignments.png
  4. Add the Service Provider on Aperture.
    Each SaaS application must be configured on the Aperture service to grant access using the same IDP SSO URL and redirect traffic to the SaaS application through the firewall. You need the Okta Single Sign-on URL and Verification Certificate for the SaaS application, and the Entity ID and ACS URL from Aperture to configure the SaaS application on Aperture.
    1. Log in to Okta, select AdminApplications and select your G Suite application to gather the SaaS details.
    2. Select SAML 2.0 and click View Setup Instructions.
      saml-proxy-okta-sign-on-instructions.png
    3. Locate the Single Sign-On Screen information for G Suite, download the verification certificate and copy the Sign-in page URL.
      okta-gsuite-service-provider.png
    4. On Okta, click Applications, and select the Aperture SAML 2.0 application.
    5. Click Sign OnView Setup Instructions
    6. Log in to Aperture, select SettingsSAML ProxyIdentity Provider SettingsEdit to locate the ACS URL, and SP Entity ID.
      saml-okta-create-application.png
    7. On Aperture, select SettingsSAML ProxyAdd Service Provider.
    8. Enter a SP Name.
    9. Upload the Okta Verification Certificate to Aperture.
    10. For the ACS URL, enter the Aperture Assertion Consumer Service URL.
    11. For the SP Entity ID, enter the Aperture IDP Entity ID.
    12. For the SSO URL, enter the Okta Sign-in page URL.
    13. (Optional) Configure the SOAP Endpoint/ECP Endpoint on Aperture to enable communication in HTTP and its XML language as the mechanisms for information exchange. The endpoint is URL where your service can be accessed by a client application.
    14. Add the Service Provider configuration on Aperture.
      aperture-add-sp.png
  5. Configure the Identity Provider on the Service Provider.
    Configure the SaaS application to consume an assertion from the Identity Provider to grant the user access after being authenticated.
    1. Log in to Okta, select AdminApplications and select your G Suite application.
    2. Select SAML 2.0 and click View Setup Instructions.
    3. Locate the Single Sign-On Screen section.
      okta-gsuite-configuration.png
    4. Log in to the G Suite admin console.
    5. Click SecuritySet up single sign-on (SSO) and select Setup SSO with third party identity provider.
    6. Enter the setup SSO information from Okta, upload the Verification certificate, and click Save.
      gsuite-okta-sso-configuration.png
  6. Log in to Aperture and select SettingsSAML ProxyIdentity Provider SettingsEdit to locate the details required to Configure Your Clientless VPN.
    When you configure your Clientless VPN, the Aperture service will intercept the authentication request and redirect the application traffic through the clientless rewriter on the firewall.
    aperture-idp-configuration-details.png
  7. Configure your firewall Gateway Settings on Aperture.
    The portal configuration on Aperture creates a trusted relationship between the firewall and the Aperture service to offer a transparent experience when a user accesses a sanctioned SaaS application on an unmanaged device. The Gateway settings can be configured using your domain, IP addresses, a combination of domains and IP addresses or a configured GlobalProtect Cloud Service.
    1. Log in to Aperture, select SettingsSAML ProxyGateway SettingsEdit to add your gateway settings.
      saml-proxy-gateway-settings.png
      • Select Add Gateway using Domain to enter your Domain URL and Entity ID.
      • Select Add Gateway using IP Address to enter the IP address and (Optional)Entity ID.
      • Select Add Gateway using GlobalProtect Cloud Service to enter your GlobalProtect Cloud Service Gateway URL and GlobalProtect Cloud Service API Key.
    2. Enter the IP addresses of your Trusted Networks and Save your firewall portal settings.
      saml-proxy-trusted-ips.png

Related Documentation