Online Help

SafeNet Trusted Access for CipherCloud CASB

Overview

The application template provides the ability to enable single sign-on for users accessing the CipherCloud application through SafeNet Trusted Access. SAML settings are configured in CipherCloud to access CipherCloud Management console and third-party application as a protected resource.

The following use cases can be configured for any cloud service provider supported by CipherCloud:

Single sign-on to any CipherCloud supported cloud service provider via:

Service provider initiated single sign-on to Office365

Identity provider initiated single sign-on to Office365

Service provider initiated single sign-on to Salesforce

Identity provider initiated single sign-on to Salesforce

Applying CASB protection to Office365

Applying CASB protection to Salesforce

Single sign-on to CipherCloud management console via:

Service provider initiated single sign-on

Identity provider initiated single sign-on

Configuring SafeNet Trusted Access for CipherCloud is a three-step process:

1.CipherCloud setup

2.SafeNet Trusted Access setup

3.Verify authentication

CipherCloud Setup

As a prerequisite, download the Identity Provider metadata from the SafeNet Trusted Access console by clicking the Download metadata file button. You will need this metadata in one of the steps below.

Cloud-specific SSO

CASB protection can be applied to any cloud application (for example, Office365, Salesforce, Box, etc.) that is supported by CipherCloud. This document describes the configuration steps that are required for adding CASB protection to Office365 and Salesforce. Configuring CASB capability in CipherCloud involves the following:

Downloading the application-specific metadata

Adding SafeNet Trusted Access as an identity provider in CipherCloud

Adding a cloud service provider (for example, Salesforce or Office365) in CipherCloud

Configuring SSO settings for a cloud service provider (for example, Salesforce or Office365) in CipherCloud

Configuring identity proxy routing in CipherCloud

Creating a cloud authentication policy (optional)

Enable SSO for the CipherCloud management console (optional)

Download the Metadata

If you are configuring single sign-on for the CipherCloud management console or single sign-on to any CipherCloud cloud service provider, refer to Download the CipherCloud Metadata.

If you are configuring single sign-on for a SafeNet Trusted Access application, download that application-specific metadata. For more details, refer to Download the application-specific metadata.

Download the CipherCloud Metadata

1.On the CipherCloud Management dashboard, click the Administration tab, and click Enterprise Integration.

2.In the left pane, under Configuration, click Single Sign-On.

3.In the right pane, on the SSO Groups tab, in the SP Metadata column, click the Download icon for the Default SSO group to download the CipherCloud metadata. Save the metadata on your machine.

4.In the IdP Metadata column, click the download icon for the Default or <custom> SSO group. You need to download the IdP metadata for configuring the IdP settings in <Third party applications> like Salesforce.

Note:  To add multiple CipherCloud applications on the STA console for different cloud service provider (for example, Office365, Salesforce), you need to configure separate SSO groups.

Downloading the Application-specific Metadata

If you are configuring single sign-on for a SafeNet Trusted Access application (for example, Salesforce or Office365) that you have added in SafeNet Trusted Access, download the application-specific metadata. For more details, refer to the application-specific help documentation in SafeNet Trusted Access.

Adding SafeNet Trusted Access as an Identity Provider in CipherCloud

Perform the following steps to add an identity provider:

1.On the Single Sign-On tab, click the SSO Provider tab

2.On the SSO Provider tab, click Create New and perform the following steps:

a.In the Name field, enter an identity provider name (for example, SfntIdP).

b.In the Type field, select Identity Provider.

c.In the SSO Group field, select the SSO group.

d.In the Metadata Link field. click Upload a File to search and select the identity provider metadata file that you downloaded earlier from the SafeNet Trusted Access console.

e.Click Validate.

f.Ensure that the Entity ID field is automatically filled with your Identity Provider Entity ID.

3.Click Save.

Note:  It might take up to 10 seconds for the status to show green.

Adding Salesforce as a cloud service provider in CipherCloud

Perform the following steps to configure Salesforce for SP-Initiated SSO:

1.On the CipherCloud Management dashboard, on the Administration tab, click Cloud Management.

2.On the Cloud Management window, click Add New.

3.On the Basic page, perform the following steps to configure the cloud application:

a.In the Cloud field, select Salesforce.

b.In the Name field, enter a name (for example, MySalesforce).

c.Click Next.

4.On the Protection Model page, perform the following steps:

a.Click to enable the Cloud Authentication toggle button.

b.Click to enable the Cloud Access toggle button.

c.Click Next.

5.On the Configuration page, perform the following steps

a.In the Specific Domains field, click Select keywords and add documentforce.com, force.com, salesforce.com domains for accessing the Salesforce application.

In the Salesforce Org ID field, enter the value of your Salesforce Org ID.

Note:  To obtain your Salesforce Org ID, login to your Salesforce account. Go to Administer > Company Profile > Company Information. In the Salesforce.com Organization ID field, your Salesforce Org ID is available. Copy the value and paste it in a text editor.


b.In the Home Page Url field, replace the given value with your Salesforce Login UrI.

Note:  To obtain the Home Page Url, Log in to your Salesforce account and go to Administer > Domain Management > Domains. In the right pane, Domain name is listed under Domain.

c.Click Next.

6.On the Summary page, click Save.

Adding Office365 as a Cloud Service Provider in CipherCloud

Perform the following steps to configure Office365 for SP-Initiated SSO:

1.On the CipherCloud Management dashboard, on the Administration tab, click Cloud Management.

2.On the Cloud Management window, click Add New.

3.On the Basic page, perform the following steps to configure the cloud application:

a.In the Cloud field, select Office365.

b.In the Name field, enter a name (for example, Office365).

c.Click Next.

4.Under Application Suite, select the Office365 sub-applications as per your preferred configuration, and click Next.

5.On the Protection Model page, perform the following steps:

a.Click to enable the Cloud Authentication toggle button.

b.Click to enable the Cloud Access toggle button.

c.Click Next.

6.On the Configuration page, perform the following steps

a.In the Specific Domains field, click Select keywords and add the required domains for accessing the Office365 application.

b.In the Tenant Identifier Domain Prefix field, enter the Office365 tenant (for example, safenet) registered in Office365.

c.In the Login Domain Prefix field, enter the registered Office365 domain.

Note:  To obtain the Home Page Url, Log in to your Salesforce account and go to Administer > Domain Management > Domains. In the right pane, Domain name is listed under Domain.

d.Click Next.

7.On the Summary page, click Save.

Configuring SSO Settings for a Cloud Service Provider (for example, Office365 or Salesforce) in CipherCloud

Perform the following steps to configure Cloud Service Provider:

1.On the CipherCloud Management dashboard, on the Administration tab, click Enterprise Integration.

2.In the left pane, under Configuration, click Single Sign-On.

Note:  In the right pane, under SSO Groups, in the IDP Metadata column, click the download icon for the Default SSO groups name to download the metadata that is required to configure CipherCloud SSO settings in Salesforce.

3.In the right pane, under SSO Provider, click Create New and perform the following steps:

a.In the Name field, enter an identity provider name (for example, Salesforce or Office365).

b.In the Type field, select Cloud Service Provider.

c.In the SSO Group field, select the SSO group.

d.In the Clouds field, select the cloud application (for example, MySalesforce) that was created earlier in step 3 of Adding Salesforce as a cloud service provider in CipherCloud.

e.In the Metadata Link field. click Upload a File to search and select the IdP metadata file that you downloaded earlier from your Salesforce Single Sign-On Settings.

f.Click Validate.

g.Ensure that the Entity ID field is automatically filled with your Salesforce Entity ID.

h.Click Save.

i.Once it is active, on SSO provider tab, copy the relay state value from the newly added Cloud Service Provider.

Note:  It might take up to 10 seconds for the status to show green.

Note:  You need to configure Salesforce Single sign on settings using the IdP metadata downloaded in step 4 of Download CipherCloud Metadata.

Configuring Identity Proxy Routing in CipherCloud

Perform the following steps to configure Identity Proxy Routing:

1.On the Single Sign-On window, in the right pane, click the Identity Proxy Routing tab.

2.On the Identity Proxy Routing tab, click Create New and perform the following steps

a.In the Name field, enter an Identity Proxy name (for example, SafenetID).

b.In the SSO Group field, select the SSO group.

c.In the IDP field, select Identity Provider (for example, SfntIdP) that you created earlier in step 2 of Adding SafeNet Trusted Access as an Identity Provider in CipherCloud.

d.In the Cloud Service Provider field, select the Cloud Service Provider (for example, Salesforce) that you have created in step 3 of Configuring SSO Settings for a Cloud Service Provider (for example, Office365 or Salesforce) in CipherCloud.

e.Click Associate.

Note:  It might take up to 30 seconds for the status to show green.

Creating a Cloud Authentication Policy (Optional)

Perform the following steps to create a Cloud authentication policy:

1.On the CipherCloud Management dashboard, click the Protect tab, and click Cloud Authentication Policy.

2.Under Cloud Authentication Policy, click +New Policy button.

3.On the Basic Information page, in the Activity Name field, enter a name for the policy (for example, MyPolicy), and click Next.

4.On the Context and Actions page, in the left pane, select the application and / or sub-application that you have added.(for example, MySalesforce).

5.In the right pane, on the Context Rules tab, ensure that, in the Context Type column, Users is selected and in the Context column, All Users is selected.

6. Click the Action tab.

7. In the Action field, select Allow & Log, and click Next.

6.On the Summary page, click Confirm.

Enable SSO for CipherCloud Management Console (optional)

Perform the following steps to enable SSO for the CipherCloud Management Console:

1.Click Administration tab, and click System Settings.

2.In the left pane, click System Settings > Sanctioned Cloud Configuration > Enterprise Authentication.

3.In the right pane, under Enterprise Single Sign-On Settings, perform the following steps:

a.In the Identity Provider field, select the identity provider that you created in step 2 of Adding SafeNet Trusted Access as an Identity Provider in CipherCloud.

Note:  Only the Identity provider, which is connected to the Default SSO group can be selected.

b.Enable the Management Console and Decryption Clients toggle buttons.

c.Click Save.

4.The Management Server will automatically restart, then you need to login to the Management Console again using your admin credentials.

Note:  On the Management Console login page, an additional Log In With IdP button will be available for SSO.

5.Under Enterprise Single Sign-On Settings, copy the relay state value from the Relay State field. It is required for an IDP initiated flow.

SafeNet Trusted Access Setup

After completing the first step of configuring SafeNet Trusted Access in CipherCloud, the second step is to activate the CipherCloud application or another application (for example, Office365, Salesforce) in SafeNet Trusted Access by performing the following steps:

1.In the Applications pane, the CipherCloud application or another application (for example, Office365, Salesforce) you added earlier is in the inactive state by default. To configure and activate this application, click the application (for example, CipherCloud, Office365, or Salesforce) and proceed to the next step.

2. Under STA Setup, perform the following steps:

a.Click Upload CipherCloud Metadata. Alternatively, upload the metadata for other application (for example, Office365 or Salesforce)

b.On the Metadata Upload window, click Browse to search and then select the application metadata that you downloaded earlier in step 3 of Download the CipherCloud Metadata. For more details downloading the metadata for other cloud service providers (for example, Office365 or Salesforce), refer to the application-specific help documentation in CipherCloud.

c.Under Return Attributes, ensure that mail attributes are added.

Note:  The mail attribute added above is applicable if you are adding the CipherCloud application in SafeNet Trusted Access. If you are adding another application (for example, Office365 or Salesforce), configure the return attribute(s) as required for that application. For more details on the configuration steps, refer to the application-specific help documentation in SafeNet Trusted Access.

d.Under Advanced Settings, in the IDP INITIATED SSO RELAY STATE field, enter the relay state value of your application. Relay state is a unique value identify application to which you will be redirected, after successful login.

Note:  Paste the relay state value that you copied earlier from step 3 of Configuring SSO Settings for a Cloud Service Provider (for example, Office365 or Salesforce) in CipherCloud for accessing Salesforce and step 5 of Enable SSO for CipherCloud management console (optional).

Under Account Details, the service provider metadata information is displayed.

e.Click Save Configuration to save the details and activate the CipherCloud application in SafeNet Trusted Access.

Verify Authentication

Single Sign-on to Third-party Application (e.g. Office365, Salesforce)

Navigate to the login URL of the Office365 application or sub-application and then click on the identity provider name (for example, Salesforce, Office365, CipherCloud). You will be redirected to the SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the Office365 portal after authentication.

Single Sign-on to Management Console

Navigate to the login URL of the Management Console, https://<Tenant Name>.CipherCloud.io/account/#login”) https://sfnt.CipherCloud.io/account/#login, where <Tenant Name> is the unique name registered in CipherCloud.

Click Log In with IdP.

You will be redirected to your SafeNet Trusted Access sign-in page. Enter your primary directory login information, approve the two-factor authentication, and you should be redirected to the CipherCloud console after authentication.

Using STA User Portal

Navigate to the User Portal URL to log in to the STA User Portal dashboard. On the dashboard, you will see a list of applications to which you have access. Click the CipherCloud application icon. You should be successfully logged in to the CipherCloud console after authentication.

 

© 2019 SafeNet Trusted Access. Various trademarks are held by their respective owners.