This procedure describes how to integrate Single Sign-On (SSO) with Azure Active Directory (IdP) via Proxy.
Make sure you have the following items before integrating SSO with Azure AD (IdP) via proxy:
- Admin access to Google Suite portal (https://gsuite.google.com).
- Admin access to Azure AD (IdP) portal (https://azure.microsoft.com/en-in/services/active-directory).
- Access to Skyhigh CASB tenant and existing Google Drive managed service.
- Access to functional SSO Setup between Azure AD and Google Drive/Google Suite.
Download SP Certificate
- Login to the G Suite admin portal to download the SP Certificate.
- Go to Security > Set up single sign-on (SSO) for SAML applications and click DOWNLOAD CERTIFICATE.
- Download the SP Certificate and save it in your local folder. The SP Certificate is used to configure the proxy in Skyhigh CASB.
Download IdP Certificate
- Login to the Azure AD portal to download the IdP Certificate.
- Go to Enterprise application > Google Cloud App > Single Sign-on > SAML Signing-Certificate and click Download next to Certificate (Base64).
- Download the IdP Certificate and save it in your local folder. The IdP Certificate is used to configure the proxy in Skyhigh CASB.
Configure the SSO Integration via Proxy
Perform the following steps to achieve the SSO Integration via Proxy:
Step 1: Configure Proxy in Skyhigh CASB
- Login to Skyhigh CASB to configure SAML setup for the existing G Drive managed service.
- To set up SAML, click managed G Drive instance and select Setup > Configure.
- Under Upload Identity Provider Certificate, upload the IdP Certificate and click Next.
- Under Provide Service Provider Certificate, upload the SP Certificate and click Next.
- Download the Proxy Certificate and save it in your local folder. The Proxy Certificate is used to configure SP in the G Suite portal.
- Add skip.saml.redirect.sig.qs.param to the G Drive Service Card and set the value as true.
Step 2: Configure SP in G Suite Portal
- Login to the G Suite admin portal to configure SP.
- Choose Security > Set up single sign-on (SSO) to go to the SSO page.
- Scroll to Setup SSO with the third party identity provider and replace the Sign-in page URL with the link: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/domain-access?shnsaml-request=https%3A%2F%2Flogin.microsoftonline.com%2Ffcbf8387-fe12-4fb9-a3ed-440e79fa75ee%2Fsaml2
- To upload the Proxy Certificate, click REPLACE CERTIFICATE.
- Replace the existing IdP Certificate with Proxy Certificate.
Step 3: Configure IdP in Azure AD Portal
- Login to Azure AD admin portal.
- Go to Enterprise application > Google Cloud App > Single Sign-on > SAML-based Sign-on.
- Click pencil icon to edit Basic SAML Configuration and configure the following:
- Change the Reply URL (Assertion Consumer Service URL) with the link: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/a/awesomeworks.in?shnsaml
- Change the Sign on URL with the link: https://www.google.com.gsuite.gdrive.sivaqaar.devshn.net/a/awesomeworks.in/ServiceLogin?continue=https://drive.google.com
- Save the Basic SAML Configuration and click Test.
NOTE: Before proxy integration, you should choose a functional SSO setup between Azure AD and G Suite. The above screenshots may vary for the user attributes and claims depending on your SSO setup.
Step 4: Validate the SSO Integration with Proxy
The SSO Integration with Proxy is completed. To verify the result of the SSO integration, perform the following activities:
- Login to https://apps.office.com as a non-admin user.
- Click Google Cloud application.
- You are redirected to Google Drive (or other applications as per the configuration) automatically.
NOTE: The configuration changes in Azure AD and Google Suite may take some time. So wait for 10 to 60 minutes before testing the proxy integration.