Okta continue to extend the security posture of enterprise end points with the release of a new dedicated integration with Google which offers Device Assurance Policy on ChromeOS and a new set of device signals from the Chrome browser itself that includes access policy based on the type of Browser and so much more!
Requirements:
- Free trial or Subscription to Okta Workforce identity cloud with UD and either Adaptive SSO or Adaptive MFA as this integration falls under Device Assurance capability.
- Subscription to Google Workspace + Free subscription to Chrome Enterprise Browser Cloud Management.
- Okta Admin Console Access.
- Google Workspace Admin Console Access.
- A Windows or MacOS client with Chrome browser installed.
Okta Integration with Google Workspace.
Before we dive in the configuration let’s have a look at the signal the we can gather from this new integration:
It is important to note once the integration configured, that Chrome OS Signals are now leveraged as a platform within Okta Device Assurance Policy and Chrome Browser Device Trust become an Attributes provider for both macOS and Windows Platform.
What is very powerful here is that this can be used with Okta Verify for Register and Managed context but also we can make access decision based on the Chrome Browser Signals only.
Below the Policy with the new option upon the integration.
During this Article we will be focusing on the integration with the Chrome Browser Trust Connector on a Windows platform.
1.) Integrate Okta as a connector in the Google Admin console.
Go to the Google Admin console and look for Connectors as per below screenshot.
When you get started you will be asked to to accept terms to leverage this capability at no cost. Once accepted you can then select New provider as per below.
Scroll down and select Setup Okta provider.
You are now being ask to enter the credentials to bind Okta with Google.
Go to your Okta tenant Admin console –> Security –> Device Integration –> Endpoint Security and select Add endpoint Integration and Chrome Device Trust.
You can see now below these are the credential to enter back to the Google Admin console.
Click then add configuration.
You need to select the Okta Connector for your domain. Select your domain and select Okta Connector and locally applied to enable the Trust connector.
Well done! Okta is now integrated with with the Google Chrome Trust Connector.
2.) Okta Device Assurance + App Policy configuration for Chrome Browser signals.
Go to the Okta Admin Console to Security –> Device Assurance Policies and then click Add Policy.
In the policy and for our use case, we will select the Windows Platform and tick the Chrome Device Trust attribute provider and use the minimum Windows version as a signal that will also imply that we enforcing the use of the Chrome browser vs other browser. Click save.
We will now add the Device Assurance Policy in our App Access Policy. In this case we will do so for the Salesforce App to ensure the the only way to Access this app is to have a fully managed device and enforce the use of the Chrome managed Browser.
Please note that our new connector allow to gather signals from Chrome Browser without the need to Okta Verify registered.
In the Okta Admin console go to Security –> Authentication Policy –> Look for the SFDC app or the app of your choice. Click create a rule and configure it as per below and hit save.
At this stage everything is ready to test the access to the SFDC app. The last step is to ensure that the Chrome browser on your client machine is enrolled in the Google Chrome Cloud Management platform.
Please follow the step at this link to enroll your Chrome Browser into the Google Chrome Browser Cloud Management console.
Go to the Google admin console to confirm that the Browser is enrolled. This important as this is how Okta gather the signal directly from the Google Managed Browser Cloud Platform.
It is now time for testing. Check out the result in this video:
Sources:
https://help.okta.com/oie/en-us/content/topics/identity-engine/devices/chrome/enable-chrome-dt.htm
https://support.google.com/chrome/a/answer/13570263?hl=en
Powered by https://ausvitality.com/products/mindlift
