Configure Unsanctioned Device AccessControl

paloaltonetworks.com/documentation

2 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL |

Contact InformationCorporate Headquarters:Palo Alto Networks3000 Tannery WaySanta Clara, CA 95054www.paloaltonetworks.com/company/contact-support

About the Documentation• For the most recent version of this guide or for access to related documentation, visit the Technical

Documentation portal www.paloaltonetworks.com/documentation.• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/

document-search.html.• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at

documentation@paloaltonetworks.com.

CopyrightPalo Alto Networks, Inc.www.paloaltonetworks.com

© - Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list ofour trademarks can be found at www.paloaltonetworks.com/company/trademarks.html. All other marksmentioned herein may be trademarks of their respective companies.

Last Revised

TABLE OF CONTENTS iii

Table of ContentsConfigure Unsanctioned Device Access Control.........................................4

Create an app in Okta for Aperture.......................................................................................................6Obtain the Sign-in URL and Certificate from Okta for Aperture..................................................10Configure the IDP in Aperture.............................................................................................................. 12Create an app in Okta for G Suite....................................................................................................... 14Obtain the Sign-in URL and Certificate from Okta for G Suite.....................................................15Configure a Service Provider in Aperture...........................................................................................16Configure the Service Provider............................................................................................................. 18Configure the Firewall with Clientless VPN.......................................................................................20Configure the Firewall Settings in Aperture...................................................................................... 21

4 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Configure Unsanctioned Device Access ControlYou can control unsanctioned and employee-owned device access to your network and redirect devicetraffic to the next generation firewall for inspection without putting your network or data at risk.Unsanctioned device access control utilizes SAML redirection by proxy instead of directly exposing the SaaSapp or your network, removing all possible vulnerabilities to data exfiltration and malware propagation.

This document details an example integration with Aperture, Okta, and G Suite. Youcan configure SAML and manage federations with these providers or use any providercompatible with the SAML 2.0 protocol.

The following tasks must be completed to configure Unsanctioned Device Access Control.

Task Details

Create an app in Okta forAperture

An Aperture applicationintegration with Okta allowsyou to manage federations withexternal Identity Providers (IDP)to authenticate users accessingSaaS apps.

Obtain the Sign-in URL andCertificate from Okta forAperture

The Identity Provider Sign-inURL directs users to sign in andenables them to use your app.The certificate validates SAMLsignatures when using SSO.

Configure the IDP in Aperture Register the IDP and Aperturewith each other to enablecommunication between them.

Create an app in Okta for GSuite

The SSO service signsauthentication requests andrequires signed assertions froman external identity providerbefore allowing access to an app.

Obtain the Sign-in URL andCertificate from Okta for G Suite

The Identity Provider Sign-inURL directs users to sign in andenables them to use your app.The certificate validates SAMLsignatures when using SSO.

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 5© Palo Alto Networks, Inc.

Task Details

Configure a Service Provider inAperture

Register the SP and Aperturewith each other to enablecommunication between them.

Configure the Service Provider The Service Provider is ableto consume an assertion fromthe Identity Provider, identify auser, and establish an Aperturesession. After a session isestablished, the Service Providercan authorize the user forspecific resources.

Configure the Firewall withClientless VPN

Configuring Clientless VPNenables the SAML service tointercept the remote users’authentication request andredirect the application trafficthrough the clientless rewriteron the firewall.

Configure the Firewall Settingsin Aperture

Configuring the Firewallsettings in Aperture enablescommunication and verifiesauthentication requests betweenthe Firewall and the IDP.

6 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Create an app in Okta for ApertureBy creating an application integration with Okta, you can manage federations with external IdentityProviders (IDP) to authenticate users trying to access SaaS applications using the SAML 2.0 protocol.

You must be an Aperture Admin or Super Admin to configure unsanctioned device accesscontrol.

Create an app in Okta with Aperture.1. Create an application integration to log in users using the SAML protocol.

1. Log in to your Okta organization as a user with administrative privileges.

If you don’t have an Okta organization, you can create a free Okta developeredition organization.

2. Create a new application integration by selecting Admin Dashboard > Applications > AddApplications > Create New App > SAML 2.0 > Create.

3. In the Create a New Application Integration dialog, select SAML 2.0 and then Create theapplication integration.

2. Configure the SAML application settings in General Settings:

1. Enter the App name (such as Aperture) to specify an identifier for the app.2. (Optional) Review the tool tips for details about the type of image you can upload for your App

logo.3. Select whether to hide the application from your users’ homepage or mobile app in App visibility.4. Click Next.

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 7© Palo Alto Networks, Inc.

3. Configure the URL where the SAML assertion is sent and the URI of the intended audience for theSAML assertion.

1. Log in to Aperture and keep Aperture open for setup.

To prevent errors in your SAML integrations, ensure that Okta is whitelisted for3rd-party cookies in your browser.

2. Select Settings > Unsanctioned Device Access Control > SAML Proxy.3. Select Identity Provider Settings > Add Identity Provider.

4. Copy the IDP Entity ID and the Assertion Consumer Service URL to paste into Okta.

8 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

5. In Okta, select the SAML Settings dialog, and paste the Assertion Consumer Service URL youcopied from Aperture into the Single sign on URL and the IDP Entity ID you copied from Apertureinto the Audience URI (SP Entity ID).

6. Enter your email address in Name ID format.7. Click Next.

4. Add app integration feedback for Okta to help Okta Support understand how you configured theapplication.

1. In Are you a customer or partner? select either I’m an Okta customer adding an internal app orI’m a software vendor. I’d like to integrate my app with Okta.

2. (Optional) In App type check This is an internal app that we have created.3. Click Finish to submit your feedback.

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 9© Palo Alto Networks, Inc.

5. Assign the application to people to add and manage end users in your organization.

1. Select Assignments > Assign to People.

6. An Assign Example Application to People dialog will open. Enter your username into search, and thenclick Assign.

7. Verify the user-specific attributes and then select Save and Go Back.

8. Click Done to exit the assignment wizard.

10 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Obtain the Sign-in URL and Certificate fromOkta for Aperture

You will need the Identity Provider Sign-in URL to direct users to sign in and enable them to use yourapp. This URL is required and is always used for IDP initiated sign-on. You will also need to download thecertificate from the IDP to validate SAML signatures when using SSO.

Obtain the Identity Provider single sign-on URL and certificate from Okta.1. The Sign on Methods screen displays. Click View Setup Instructions.

2. Copy the Identity Provider Single Sign-On URL, Identity Provider Issuer and download theCertificate.

You will need the Identity Provider Single Sign-On URL and Certificate to complete thesetup in Aperture.

When downloading the certificate, change the .cert extension to either .cer or .crt

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 11© Palo Alto Networks, Inc.

12 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Configure the IDP in ApertureWhen you configure SAML, you must register Aperture and the IDP with each other to enablecommunication between them. To configure the IDP in Aperture, you will need:

1. Certificate —The certificate you downloaded from Okta to validate SAML signatures in .cer or .crtformat.

2. Identity Provider Entity ID—The Entity ID of the Identity Provider that is called the Identity ProviderIssuer in Okta.

3. SSO URL— The SSO URL from Okta that retrieves a redirection URL containing a token forauthenticating your users.

Configure the IDP in Aperture.1. Select Settings > Unsanctioned Device Access Control > SAML Proxy.

If not already, enable the Unmanaged Device Control Configuration.

2. Select Add Identity Provider.

3. Enter a IDP Name to identify the IDP provider.4. Browse and upload the IDP Certificate file that you downloaded from Okta.

If you don't know where to obtain the certificate, contact your IDP administrator or vendor.5. Enter the IDP Entity ID (called Identity Provider Issuer in Okta).

Your SAML provider provides you with this ID. It must be typed exactly as given to you by theprovider.

6. Enter the SSO URL from Okta.

The SSO URL retrieves a redirection URL containing a token for authenticating your users.7. Enable the IDP Status.8. Click Add to save the IDP provider.

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 13© Palo Alto Networks, Inc.

14 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Create an app in Okta for G SuiteThe SSO service provides the ability to sign authentication requests and requires signed assertions from anexternal identity provider, such as G Suite. When you configure SSO with an external identity provider, yourusers log in and authenticate to the external identity party before being redirected to the application.

Configure the IDP in Okta with G Suite.1. Create an application integration to log in users using the SAML protocol.

1. Log in to your Okta organization as a user with administrative privileges.

If you don’t have an Okta organization, you can create a free Okta developeredition organization.

2. Add the G Suite app by selecting Admin Dashboard > Applications > Add Applications > G Suite >Add.

3. In General Settings > Application label enter the application name, such as G Suite.4. Enter Your Google Apps company domain and click Next.

5. Set up end user accounts.

When setting up end user accounts, you can assign the applications you want to display on end users'My Applications (or Home) page when you Assign the application to people to add and manage endusers in your organization.

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 15© Palo Alto Networks, Inc.

Obtain the Sign-in URL and Certificate fromOkta for G Suite

You will need the Identity Provider Sign-in URL to direct users to sign in and enable them to use your app.You will also need to download the certificate from the IDP to validate SAML signatures when using SSO.

Obtain the sign-in page URL and verification certificate from Okta.1. The Sign on Methods screen displays. Click View Setup Instructions.

2. Copy the Sign-in page URL and download the Verification certificate.

You will need the Sign-in page URL and Verification certificate to complete the setupin Aperture.

When downloading the certificate, change the .cert extension to either .cer or .crt

16 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Configure a Service Provider in ApertureWhen you configure SAML, you must register Aperture and the SP with each other to enablecommunication between them. To configure the SP in Aperture to enable this communication, you willneed:

1. Certificate —The certificate you downloaded from Okta to validate SAML signatures in .cer or .crtformat.

2. ACS URL—The URL of the ACS you copied from your service provider.3. SP Entity ID— The SP Entity ID from Okta is required to form a trust relationship with the IDP.4. SSO URL— The SSO URL from Okta that retrieves a redirection URL containing a token for

authenticating your users.

Configure the Service Provider in Aperture.1. Obtain the Identity Provider single sign-on URL and certificate from Okta. You will need the URL and

certificate to complete the SP configuration in Aperture.2. Select Settings > Unsanctioned Device Access Control > SAML Proxy > Service Provider Settings >

Add Service Provider.

3. Enter a Name to identify the SP provider.4. Browse and upload the SP Certificate file you downloaded from Okta.

If you don't know where to obtain the certificate, contact your SP administrator or vendor.5. Enter the ACS URL that you copied for the service provider.

The ACS URL obtains a security token issued by ACS to log in to your application or service.6. Enter the SP Entity ID.

The SP Entity ID is required to form a trust relationship with the IDP.7. Enter the SSO URL that you copied from Okta.

The SSO URL retrieves a redirection URL containing a token for authenticating your users.8. Enable the SP Status.9. (Optional) Configure SOAP Endpoint/ECP Endpoint in Aperture to enable communication in HTTP

and its XML language as the mechanisms for information exchange. The endpoint is URL where yourservice can be accessed by a client application

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 17© Palo Alto Networks, Inc.

10.Click Add to save the SP profile.

18 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Configure the Service ProviderThe Service Provider is able to consume an assertion from the Identity Provider, identify a user, andestablish an Aperture session. After a session is established, the Service Provider can authorize the user forspecific resources.

Configure the Service Provider.1. In a new browser window, log in as the administrator to the SP, such as the G Suite Google Admin

Account.2. Select Security > Show more > Set up single sign-on (SSO).

3. Select Setup SSO with third party identity provider.4. In Aperture, enter the URL for signing in to your system and G Suite, and the URL for redirecting

users to when they sign out:

• Sign-in page URL— Copy the IDP SSO URL from the Configuration details to enter on yourService Provider section of the IDP page in Aperture.

• Sign-out page URL— Copy the IDP SLO URL from the Configuration details to enter on yourService Provider section of the IDP page in Aperture.

• Verification Certificate— Upload the Identity Provider Certificate from the Configuration detailsto enter on your Service Provider section of the IDP page in Aperture.

• Save your settings.

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 19© Palo Alto Networks, Inc.

20 CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device AccessControl© Palo Alto Networks, Inc.

Configure the Firewall with Clientless VPNWhen you configure Clientless VPN, the SAML service will intercept the remote users’ authenticationrequest and redirect the application traffic through the clientless rewriter on the firewall.

STEP 1 | Obtain the configuration details to set up Clientless VPN.1. In Aperture, select Settings > Unsanctioned Device Access Control > SAML Proxy > Identity

Provider Settings > Actions > Edit.

STEP 2 | In Edit Identity Provider Configuration scroll down to Configuration details to enter on yourService Provider. The following values are required to set up Clientless VPN:1. Identity Provider Certificate— that you downloaded from Okta in .cer or .crt format.2. IDP Entity ID—Your SAML provider provides you with this ID. It must be entered exactly as listed in

the IDP.3. IDP SSO URL— The SSO URL retrieves a redirection URL containing a token for authenticating your

users.4. IDP SLO URL— Generates the log out request and redirects the user’s browser to that Service

Provider’s SLO endpoint.

STEP 3 | Configure the firewall for application access.1. Your users will need to access the applications through a firewall. When you Configure Clientless

VPN, you will need to complete the following to configure the firewall:

Create Interfaces and Zones for GlobalProtect to define and assign Interface Management Profilewith HTTPS, create an interface, assign an IP address and a management profile to the interface,and verify the routing works.Create DNS Proxy. GlobalProtect will use this proxy to resolve application names.Specify Security Settings and configure the SSL/TLS service profile.Create a Server Profile to create the SAML Identity Provider and provide the Identity ProviderSSO URL.Create Authentication Profile to assign to the IDP server profile and SSL/TLS Service Profile, andto add the SAML Authentication profile.Create GlobalProtect Portal and add the host name, assign DNS Proxy, configure the log insettings and the inactivity timeout for the session cookie, and commit the configuration.

CONFIGURE UNSANCTIONED DEVICE ACCESS CONTROL | Configure Unsanctioned Device Access Control 21© Palo Alto Networks, Inc.

Configure the Firewall Settings in ApertureYou need to configure the Firewall settings in Aperture to enable communication and verify authenticationrequests between the Firewall and the IDP.

Configure the Firewall settings in Aperture.1. In Add Firewall, select either Domain or IP Address.

• Domain—Enter the Domain URL and Entity ID separated by commas.• IP Address— Enter the IP Address and the (Optional) Entity ID, separated by commas.• Trusted Networks— Enter the IP address in CIDR format separated by commas.

2. Save your Firewall settings.