Overview / Prerequisites
In this blog I want to guide you through the process how we can integrate Okta as the IdP with VMware Web Proxy and how the User Experience looks .
I will not cover how to create a Security Policy on the VMware side, but you can read this basic steps in my personal blog.
The VMware Cloud Web Security (CWS) Web Proxy is designed to enable the standalone consumption of CWS without the need for VMware SD-WAN or VMware Secure Access (SA). Any device with a modern browser that can support a network proxy configuration, either manually or automatically through a proxy auto-config (PAC) file, can have its Web traffic redirected to CWS for security inspection.
You can read here more about this.
We need to have the following in place
- Okta SAML Provider Configuration
- VMware standalone Cloud Web Security Configuration
- Client/Host configuration with the SSL Termination Certificate and the Web Proxy URL
Create Okta SAML App
First we will create an new Application on the Okta side, we need to log into the Okta Admin Portal and in the left navigation menu select
Applications –> Applications
Select Create App Integration
Select SAML 2.0 and click Next afterwards
In the General Settings section, create a name for the app, add a nice logo for it (optional), do not display it to the users and click Next
Fill in the following fields:
- Single sign on URL: https://safe-cws-sase.vmware.com/safeview-auth-server/saml
- Audience URI (SP Entity ID): https://safe-cws-sase.vmware.com/safeview-auth-server/saml/metadata
Scroll down and click Next
In this section we need to select:
- “I’m and Okta customer adding and internal app”
- “This is an internal app that we have created”
- Click Finish
In the next step we need to navigate to the Sign On Tab
scroll down to the SAML Signing Certificates
Next to the Active certificate, select Actions, then select the View IdP metadata and select Download certificate and save it to a local folder.
Navigate to the Assignment tab and assign the People or Groups to our Application
Configure Authentication (SSO)
In the next part we will configure the Single Sign On Authentication on VMware side.
Logged in into the SASE Orchestrator, select the SD-WAN dropdown and select Cloud Web Security
Select Configure and then Authentication
Toggle the Single Sign On to Enabled, selecet Yes and pick Okta as the SAML Provider
Enter in the SAML 2.0 Endpoint and the Service Identifier (Issuer), you get can this information from the metadata xml from the previous step. (Create Okta SAML App)
In the Domain field fill in your Domain (e.g. yourdomain.com) as this setting is used to identify the Enterprise Users (user@domain) to send the authentication request to Okta.
Now we need to scroll down to the X.509 Certificate Section, click Add/Edit Certificate
Locate the certificate that we’ve downloaded during the SAML App Creation and paste in the data and Save the settings.
By pressing Web Proxy option in the menu bar we get to the corresponding menu
Toggle Enable Web Proxy to Active, select a Cloud Web Security Policy
(here you can read how to create a basic one) and save your Settings.
Write down the Proxy URL as we will need this one for the Host configuration.
Client Configuration
In the last part we will look at the host configuration, in order to use the Cloud Proxy functionality we need the SSL Termination Certificate and the Proxy URL.
In an enterprise setup would roll out both the certificate and the client proxy configuration via e.g. a MDM solution.
We can download the certificate via SSL Termination menu
and import this one into the Truster Root Certificate Authorities of the clients
The Web Proxy URL and the Port need to be fill in here
Demo
Finally let’s have a look on a short demo how it looks like from a user perspective.
I will leverage Okta FastPass, this setup process has been really well documented
https://help.okta.com/oie/en-us/Content/Topics/identity-engine/devices/fp/fp-configure.htm.
