Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Integrate Office 365 with SSO Providers for Cloud Access Policy

When you are using a Single-Sign-On (SSO) provider for your Office 365 environment, use this procedure to integrate with Skyhigh CASB and the Cloud Access Policy. With this integration, users are redirected to Skyhigh CASB for device checks and to execute Cloud Access Policies before they are forwarded to Office 365.

Use cases for this integration are:

  • Block downloads from Office 365 when a user connects from an unmanaged device.
  • Encrypt files when uploaded to Office 365.
  • Apply DRM protection for files uploaded to or downloaded from Office 365.
  • Restrict access to certain Office 365 applications when accessed from an unmanaged or unknown device.

Skyhigh CASB supports both SAML 2.0 and WS-FED (SAML 1.1) based integration for Office 365. WS-FED integration is preferred, as the setup and maintenance is easier because:

  • WS-FED does not require a change of federation certificates.
  • WS-FED is preconfigured in Office 365 as the default federation method.
  • WS-FED does not require any updates when certificates change or are renewed.
  • WS-FED does not require the execution of PowerShell scripts for integration.
  • SAML 2.0 requires specific changes to Exchange Online and Skype for Business login settings.

Prerequisites

  1. To perform this integration, you must have an SSO solution available and possibly already integrated with your Office 365 tenant. To set up federation for an Office 365 instance, you must configure a valid customer domain, and users must be provisioned in Office 365. (For example, through directory sync or any other means provided by Microsoft Office 365 or the SSO provider.)
  2. In general, you should use your existing SSO provider to log in to your Office 365 environment without issues.
  3. You must have Office 365 configured as a Managed Application in Skyhigh CASB under Settings > Service Management. Contact Skyhigh CASB Support if this is not currently configured in your Skyhigh CASB tenant.
  4. You must have at least one Cloud Access Policy configured in your Skyhigh CASB tenant under Policy > Access Control > Access Policies. If you do not have a Cloud Access Policy defined, use the policy form the following screenshot as a template:
    o365_access_policy.png
  5. You should also have configured the Device Management Settings to differentiate between managed and unmanaged devices by performing a certificate check.

Build the New Login/Endpoint URL

Redirecting a SAML/WS-FED assertion requires you to change the Login URL or Endpoint URL to point to the Skyhigh CASB reverse proxy, instead of the Office 365 login page directly. With this step, the Skyhigh CASB Cloud Access Policy is executed.

Capture the Domain Alias from the Skyhigh CASB dashboard at Setup and Configuration > Sanctioned Services > Service Management.
2017-06-09_09-50-41.jpg

Write down the Domain Alias (shown in the red box) before continuing. In this example,, the Domain Alias is office.zengel.shnpoc.net.

To build the new login/endpoint URL:

  1. Copy your Domain Alias to a text file.
    2017-06-09_11-36-03.jpg
  2. Prepend the Domain Alias with the following string, as shown:
https://login.microsoftonline.com.

2017-06-09_11-37-05.jpg

  1. Append it with the following string:
/login.srf?shnsaml=
  1. The result should be the following. The original domain alias is marked with a red line:
https://login.microsoftonline.com.office.zengel.shnpoc.net/login.srf?shnsaml=

2017-06-09_11-37-41.jpg

  1. Save this new Login URL / Endpoint URL to use when you configure the SSO solution in the next section.

Integrate with ADFS

If your organization uses Active Directory Federation Services (ADFS) to login to Office 365, follow use this procedure to integrate Skyhigh CASB. It includes steps to modify the Endpoint URL for the Office 365 assertion, from the original URL to the customized URL.

  1. Log in to your ADFS or another administrative computer.
  2. Open the ADFS Management Console.
    2017-06-09_11-44-49-1.jpg
  3. Go to Relying Party Trusts
  4. Find Microsoft Office 365 Identity Platform in the list, right-click, and select Properties.
    2017-06-09_11-46-57.jpg
  5. In the Properties window, select the Endpoint tab, choose WS-Federation Passive Endpoint, and click Edit.
    2017-06-09_11-50-00.jpg
  6. Edit the Trusted URL text field to contain the newly built Login URL from the previous step, then click OK. For this example, the new URL is:
    https://login.microsoftonline.com.office.zengel.shnpoc.net/login.srf?shnsaml=


    2017-06-09_11-51-36.jpg
  7. Click OK to save all changes.

This concludes all required configuration to integrate ADFS with Skyhigh CASB for Cloud Access Policy

Integrate with Okta

If your organization uses Okta to login to Office 365, use this procedure to integrate Skyhigh CASB. For Okta, the integration is performed by modifying the original Login URL for Office 365 on an already configured Office 365 Application to the customized Login URL. 

Okta provides this integration via API and not through a user interface, so you can make this change a few ways:

  1. Manually perform API calls to the Okta Application API to change the setting ssoAcsUrlOverride on the Office 365 App.
  2. Contact Okta Support to request a change of the Office 365 login URL with ssoAcsUrlOverride to set it to the new, customized Login URL.
  3. Use the following procedure, which uses a web application tool provided by Skyhigh CASB, to perform the required API calls automatically.

Prerequisites

For Okta, make sure that the following prerequisites are satisfied:

  • The login to Office 365 is already set up and working.
  • This procedure assumes that you have used the built-in Office 365 Application.
    2017-06-02_09-17-09.jpg
  • This procedure assumes that you have already configured federation using the Okta functionality to automatically configure the federation.
    2017-06-02_09-19-20.jpg

Get an Okta API Token

Get an API token from Okta that has the permission to edit Apps. 

Before you begin:

  • You can create an API token for your Administrator account in Okta.
  • Or you can create an Okta Admin User with the following permission, and then create an API token under this user. This allows you to use a token with the least privilege for this tool.
    2017-06-02_10-05-39.jpg
  • You should delete the API token from Okta once the configuration is done.
  • An Okta API token is disabled automatically if it’s not used for 30 days.

For general information about API tokens for Okta, see https://developer.okta.com/docs/api/getting_started/getting_a_token.html

To get an Okta API Token:

  1. To retrieve the token, login to Okta as Administrator or API user.
  2. In Okta, go to the Admin section.
  3. Go to Security > API.
    2017-06-09_12-30-57.jpg
  4. Click Create Token.
  5. Define a new name for this token, such as SkyhighAPItoken, and click OK.
  6. The next dialog displays the token. Select the token, copy it, and paste it into a text document.
    2017-06-09_12-32-48.jpg

Use Skyhigh CASB to Make the API calls

Before you begin, make sure you have the following prerequisites, from the previous sections:

  • The Okta instance URL. For example, https://dev-74509x.oktapreview.com.
  • The Domain Alias from Skyhigh CASB Managed Applications. For example, office.zengel.shnpoc.net.
  • The API token as created earlier in the Okta admin section. For example, 00PEO9J3Wd9wv4CwMKBadKZ9FlVsk4PCeZyRvpgZa.

To make the URL change:

  1. Go to https://oktaconfig.devshn.net/cgi-av...ighRpEnable.py
  2. Enter all required information, and click Submit
    2017-06-02_10-23-32.jpg
  3. In the next screen, the tool will list all Office 365 apps that are configured in the relevant Okta tenant. Usually this is only one instance, but if multiple instances are displayed, select the one that should be modified, and click Submit.
    2017-06-02_10-00-21.jpg
  4. The URL is modified and the result is displayed in the table when you refresh the page. You might be asked to submit the login information again when you refresh the page.

In case you want to reset the URL to the default value, in the field Sykhigh Proxy URL, enter the word DEFAULT, and click Submit. This removes the customization.

Delete the API token from Okta once you have completed this step.