CASB Configuration Guide Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka00z0000019tczsae&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fcasb-configuration-guide-376825427
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
CASB Configuration Guide
Published: Apr 23, 2018   -   Updated: May 15, 2018

okta-doc-source

CASB Configuration Guide

About CASB

A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure. (searchcloudsecurity.techtarget.com)

CASB and the Okta OIN

To simplify integrating with in path/reverse proxy CASBs, Okta has developed functionality that allows admins to override various default settings associated with our published OIN apps that use SAML for federation. The settings can also be applied to Microsoft Office 365 app.

The values that can be overridden are:

  • Assertion Consumer Service URL (ACS)
  • Audience
  • Recipient
  • Destination

To override these settings admins must use our API to populate the $app.settings.signOn object with the appropriate override values which are:

SAML PropertySignOnExample Value
Assertion Consumer Service URLssoAcsUrlOverridehttps://casb-provider.com/ssoAcsUrlOverride
Audience audienceOverridehttps://casb-provider.com/audienceOverride
DestinationdestinationOverridehttps://casb-provider.com/destinationOverride
RecipientrecipientOverridehttps://casb-provider.com/recipientOverride

Configure CASB for a Specific App

Here is an example of how to configure CASB for a specific app:

You can use an iframe to embed an end-user home page into your existing portal.

  1. This is an Early Access feature. Contact support to enable it ( SAML2_CASB_SUPPORT).

  2. In Okta, navigate to Security > API, then create a new API Token.

  3. Get the app details by making an API call as follows:

    curl -X GET \
      https://{{Okta host}}/api/v1/apps/{{App ID}} \
      -H 'Authorization: SSWS {{ API Key }}' \
      -H 'Accept: application/json'
    

    Where API ID can be obtained from you app's URL, as shown here: 

    casb-1

  4. Copy the API response into a text editor.

  5. Update the app data by means of an API call as shown in the example below.

    Notes: The attributes displayed are the minimum required ones. Replace the actual values with your saved data (see the signOn section in your API response).

     

    curl -X PUT \
      https://{{Okta host}}/api/v1/apps/{{App ID}} \
      -H 'Authorization: SSWS {{ API Key }}' \
      -H 'Accept: application/json' \
      -H 'Content-Type: application/json' \
      -d '{ 
        "label": "Amazon Web Services",
        "name": "amazon_aws",
        "signOnMode": "SAML_2_0",
        "settings": {
          "app": {
            "appFilter": null,
            "awsEnvironmentType": "aws.amazon",
            "groupFilter": "aws_(?{{accountid}}\\d+)_(?{{role}}[a-zA-Z0-9+=,.@\\-_]+)",
            "secretKey": null,
            "accessKey": null,
            "loginURL": "https://console.aws.amazon.com/ec2/home",
            "identityProviderArn": "arn:aws:iam::456272127071:saml-provider/OktaRainVladDobrikov2,arn:aws:iam::456272127071:role/RoleOktaRainVladDobrikov",
            "overrideAcsURL": null,
            "sessionDuration": 3600,
            "secretKeyEnc": null,
            "roleValuePattern": "arn:aws:iam::${accountid}:saml-provider/OKTA,arn:aws:iam::${accountid}:role/${role}"
          },
          "signOn": {
            "defaultRelayState": "defaultRelayStateOverride",
            "ssoAcsUrlOverride": "https://casb-provider.com/ssoAcsUrlOverride",
            "audienceOverride": "https://casb-provider.com/audienceOverride",
            "recipientOverride": "https://casb-provider.com/recipientOverride",
            "destinationOverride": "https://casb-provider.com/destinationOverride"
          }
        }
      }'
                    
  6. Perform a SAML login from Okta for the application you just updated.

Post a Comment