Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Integrate Skyhigh CASB for Google Drive with Okta SSO

To integrate Skyhigh CASB for Google Workspace with Okta SSO, you must first configure SSO without the SAML proxy, then integrate the SAML proxy. 

Prerequisites 

Before you begin, you must have the following accounts:

  • Okta account
  • Google Workspace account with at least 1 user account (admin + 1 user).

Phase 1 - Configure SSO without SAML Proxy

Add Google Workspace to Okta

  1. Login to the Okta admin console and navigate to Applications > Applications then click on "Browse App Catalog".
     
  2. Search for and select Google Workspace and add the app.
    clipboard_ea445e606135be6ce7d8cbef179c2e892.png
  3. Under General Settings, enter your public G Suite domain.
    okta_google_3.png
  4. Under Sign-On Options, select SAML 2.0 and Okta username.
    okta_google_4.png

Enable Provisioning for the Okta App

  1. Select the Provisioning tab, and Configure API Integration.
    okta_pro_1.png
  2. Select Enable API integration and select Authenticate with GSuite.
    okta_pro_2.png
  3. When asked to provide an account to authenticate, select the G Suite admin account and approve the access request.
    okta_pro_3.pngokta_pro_4.png
  4. Okta will report the GSuite connection is verified. Select Save
    okta_pro_5.png
  5. Enable all the provisioning options, and select Sync Okta PasswordSave the config.
    okta_pro_6.png
  6. Select the Import tab, and Import Now.
    okta_pro_7.png
  7. If you have a similar user ID already in Okta (O365 user for example), Okta may suggest using this. Decline and make sure the import creates unique Okta users.
    okta_pro_8.png
  8. Change it to the following. 
    okta_pro_9.png
  9. Make sure only the user@ account is selected for import and then click Confirm Assignments.
    okta_pro_10.png
  10. Okta will confirm that one user will be imported. Click Confirm.
    okta_pro_11.png
  11. Navigate to users and confirm the new user has automatically been created. Activate it.
    okta_pro_12.png
  12. Log in to the user's Gmail account and complete the Okta registration.
    clipboard_e06a20029869b7cf80bd7c5b38980267f.png
    okta_pro_14.png
  13. Navigate to the GSuite Okta app Sign On page and select View Setup instructions for the SAML 2.0 setup.
    okta_pro_15.png

We will walk through these instructions in the next section.

Configure SSO in GSuite

  1. Login to the GSuite admin console (https://admin.google.com) and select Security.
    sso_google_1.png
  2. Find and select the Set up single sign-on SSO.
    sso_google_2.png
  3. Download the GSuite cert. This step isn't in the Okta instructions, but we will need this cert later for the SAML Proxy (SP CERT).
    sso_google_3.png
  4. Activate the checkboxes Setup SSO with third party identity provider and Use a domain specific issuer. Complete the fields as provided in the Okta instructions.
  5. Upload the Okta IDP certificate as provided in the Okta instructions. Keep this certificate for later when we configure the SAML proxy (IDP CERT).
  6. Click Save.
    sso_google_4.png
  7. You will be logged out of your GSuite account while SSO is enabled. Log back into the admin console and check the SSO settings. When using your admin account to access the admin console, SSO is bypassed.
    sso_google_5.png

Test IdP Initiated Authentication

  1. Use a new browser or Chrome incognito window and login to Okta using your user account.
  2. Select GDrive from the apps window.
    okta_google_test_1.png
  3. If successful, you will be logged into GDrive automatically.
    okta_google_test_2.png

 

Phase 2 - Integrate the SAML Proxy

Enable the SAML Proxy

  1. Login to Skyhigh CASB and go to Settings > Service Management.
  2. Use an existing Google Drive instance, or create a new one and select the Setup tab. One the Proxy row, select Get Started.
    google_test_1.png
  3. For Configure Proxy select Configure.
    clipboard_ecbf4f7e420ef0e3ff98806f0c91c2a00.png
  4. For Proxy Location, select Skyhigh Security Cloud
    clipboard_ede38dafdcb639b12a5c86469e4f155b2.png
  5. On the Set up Proxy Domain page, accept the defaults and hit done (no input required).
  6. Back at the main proxy page, for SAML Proxy, select Configure.
  7. Upload the IDP cert collected from Okta earlier.
  8. Upload the SP CERT collected from GSuite earlier.
  9. Download the SAML Proxy certificate (SAML PROXY CERT).
  10. The SAML Proxy is now enabled.
  11. Finally, copy and keep handy the proxy URL as you will need this later.
  12. Paste this URL into a browser and make sure it works. If not, contact Skyhigh CASB Support. Do not continue until this works. 

Reconfigure Okta to Use the SAML Proxy

  1. Log in to Okta Admin and navigate to Security > API. Select the Token tab and Create Token.
  2. Copy the token and save it safely. Once you click the Got It, it won't be displayed again.
  3. Navigate to the Skyhigh CASB / Okta ACS URL tool and completed as follows:
    • Okta URL. the Okta URL for your Okta tenant - just up to the .com. Do not use the -admin URL. For example, https://dev-610327.oktapreview.com.
    • Okta API token. As obtained earlier from Okta.
    • Skyhigh CASB proxy URL. You will need to build this parameter from your proxy domain, instance name, service name and GSuite domain to look like this. www.google.com.gsuite.def.skyhigh2241.myshn.net/a/skyhigh5459.net/acs
      This is built like this:
www.google.com.<PROXY SERVICE NAME>.<INSTANCE NAME>.<TENANT DOMAIN>.myshn.net/a/<GSUITE DOMAIN>/acs

NOTE: No https:// is required on this field. See the following screenshot:

  1. Click Submit. You should see a list of apps obtained from Okta. Select the G Suite application and note the current URL is DEFAULT.
  2. Click Submit and the login URL will be changed to include the SAML proxy.
  3. Now check that the full Login URL as shown in the table of application reflects to this template:
https://www.google.com.<PROXY SERVICE NAME>.<INSTANCE NAME>.<TENANT DOMAIN>.myshn.net/a/<GSUITE DOMAIN>/acs?shnsaml

For example:

https://www.google.com.gsuite.def.sk...et/acs?shnsaml 

NOTE: If you need to revert back, simply enter the proxy URL as 'DEFAULT' and submit.

Reconfigure GSuite to Use the SAML Proxy

  1. Login to the GSuite Admin Console and find the SSO settings.
  2. Select Replace Certificate and upload the Skyhigh CASB proxy certificate obtained earlier.
    reconfigure_google.png

Optional: Delete the API Token in Okta

Now that the Okta ACS has been updated to leverage the SAML Proxy, you no longer need access to the API. The token generated earlier can be revoked (as required).
google_revoke_token.png

Create a Cloud Access Policy

  1. Create a Cloud Access Policy to look for Google Drive, and check for a certificate. Managed devices will be redirected, non managed devices will be blocked.
  2. Test the policy by attempting to login to a Google Suite service using both a managed and unmanaged device.

 

  • Was this article helpful?