Salesforce Reverse Proxy Using Okta as the IDP

Salesforce Reverse Proxy Using Okta as the IDP
S
Rank
Userlevel 4
Badge +16

A Security Practitioner's Perspective

This article will walk you through the setting up of Reverse Proxy(RProxy) for Salesforce (SFDC) using Okta as the Identity Provider (IDP). There are RProxy limitations which should be noted as it will greatly affect its use within the organization and subsequent effective use within Real-Time Policies (RTP). For example, RProxy might appear to function correctly but activities with desktop applications might be restricted or bypass RProxy altogether.

Since RProxy is meant to provide another real time steering method for machines or devices which do not have the Netskope client enabled, it is imperative to understand its limitations and plan accordingly.

Additionally, RProxy should be implemented as the last method of deploying other real time access methods since it sits between the IDP and the application. The exception to this is implementing RProxy as a Service (RPaaS). RPaaS is an application that sits in an SaaS service that also has a built in IDP.

 

Applications Supported in RProxy

Please see the following for a list of applications that are supported.     https://support.netskope.com/s/article/Applications-supported-with-Reverse-Proxy

 

Implementation Steps

  1. Disable Re-Sign SAML Assertions.
  2. Create a Salesforce RProxy SAML application in the Netskope tenant.
  3. Use Postman to alter the SAML ACS URL inside Okta to point to Netskope via API request to modify the Okta App configuration to override the endpoint URL.
  4. Test access to the SFDC application in Okta with and without the Netskope Client Enabled.

Prerequisites

  1. Administrative access to Okta.
  2. A working connection between SFDC and Okta needs to be confirmed that it is working. THIS is necessary due to the intricacies of trying to configure RProxy when it is not working.  While not impossible it is painful!
  3. Application similar to or capable of the functions that Postman performs with respect to API functions.
  4. Delegated Admin and Tenant Admin level of access to the Netskope Tenant.
  5. Web browser on a machine which has the Netskope Client disabled or not installed. The machine may have the Netskope Client running; however, tamper proof options should not be turned on for testing purposes.

 

Reverse Proxy Configuration

Disable Re-Sign SAML Assertions

  1. Login to the Netskope tenant and go to Settings.
  2. Go to Security Cloud Platform, Reverse Proxy, and SAML.
  3. Click on the Settings button located on the right-hand side of the page. The SAML Settings window will appear.
  4.  Use the toggle to disable Re-Sign SAML Assertions.
    AD_4nXfXN8BP0pRjJ3nxanNuYvw3RG79iKEhjXNuUZTWb2bZ1nIlHq4SMIaIIJgwsJfFrL6P1Q8wmHx5AZDmcbHLViIUcHROIJNTFSAHPupG2YHT1EmN3UHEdLH2zhDhyc-SKkaH_-aF4A4IbLGCN17r9u42krCd?key=N0jt-idpEXXEOTVW-FL6mw
     
  5. Click Save.

Create a SAML RProxy Application

This step will create the SAML RProxy application in the Netskope tenant. Configuration information from Salesforce is necessary to complete this step.  

  1. Login to Salesforce and navigate to Settings, Identity, Single Sign-On Settings.
    AD_4nXcUOB7anrQffWKTsrE_gcP5VK1hKoML2rAF1xJqERsnsmuhomIZo_J1mmUMH-NED1DL9UsBBru_lreoSwwj4ZisLDA3LMALaSZ31UFJdQT4Eo2vFTZu5YSM1pmyo3rrhk1U8k9BueCTlnR8SwBpP4EOnLs?key=N0jt-idpEXXEOTVW-FL6mw
  2. Copy the Identity Provider Login URL and the Endpoint Login URL.
  3. Login to Okta and navigate to the Salesforce application. Open the Okta application. The application configuration page will be displayed.
  4. Click on the Sign-On tab.
    AD_4nXeJJI822Pulv83XON3KoYxafT9VpN4MVayRvUqk5FXJzDULXbA0lF0RuZnD8_vr26IesrQkB4CnqiDIGMdb5MTWGF1w-q6JM5jjLKJdPx73fP0pP7LuffMmO8n9oow4nILDm6NgfgUFViulYn8UvL3IQ9c3?key=N0jt-idpEXXEOTVW-FL6mw
     
  5. Scroll down to the SAML Signing Certificates section and click the Actions drop-down menu. Choose the Download certificate and store the certificate in an easily accessible location.AD_4nXejJRLMsu1ztFDPusnkHcJG3t1QLYcHbqXwsFXRZ1JNYVPu5s0pgtNCD5KpZmo0QpnNOyKms0OUW5AJDyRAmsv8plOFPWYEOlEmm3uVu4ZfohbYEyKielMrzCHuiTIMlq5NEeGLP_4GMnIFZgEsoO09n-8?key=N0jt-idpEXXEOTVW-FL6mw
  6. While on the SAML Reverse Proxy page settings, click Add Account. The New Account window will appear.
  7. Complete the following steps to add the new application.
    1. Enter a name for the SAML RPRoxy application.
    2. In the ACS URL field, use the Endpoint Login URL copied earlier.
    3. In the IDP SSO URL field, use the Identity Provider Login URL copied earlier.
    4. Open the Okta SAML Signing Certificate in a text editor, copy all of its contents, and paste it into the IDP CERTIFICATE field.
    5. Click Save.
      AD_4nXf0QjjcrmW60dznr5U16xCVBqsff1aVVV4WB8jv0Iuc-l-y9GlNKMIrTqOk0ubKh6LXsslkRoVSI9AsdZ9THl9mH3SaUrR5J6BJiRug14UywDybO0Amk2_kpUoeViyeQnbV04raq3qIq1kDkaw_CN112NQw?key=N0jt-idpEXXEOTVW-FL6mw
  8. Click on the Netskope Settings button next to the new Salesforce SAML Proxy application. The Netskope Settings window will appear.
    AD_4nXf-u2EwDkdjsMkzczE-tLyuASk5PXMzqb1IavmzMPFIuWUk5TYr1dAVBkpYXL1-7qsn9FWvrk2--u2qHixsrbMQNb_4Id14JL3d-3m6XnkMEeOCHNXXZq2ZoNHZrLhKGZ0zckaq9q1FxpK1M9PZe3YDZ5_y?key=N0jt-idpEXXEOTVW-FL6mw

    AD_4nXdI4Akyb6DWWTry4h_h061qKkcd1E_K62FZzAOzkyRhzAj_EQM59tG2LECntY62htn37tBKMvQRCNv9v_D96Nn3f2URLBlB3BKtmBU9_Z3hvpzFzbAY5jN0answmVCmQDDdvH3wGUMOPaKkIA2aJT5-699v?key=N0jt-idpEXXEOTVW-FL6mw
  9. Copy the SAML Proxy ACS URL.

 

Postman ACS URL Override

This step will use the SAML Proxy ACS URL copied earlier to redirect to Netskope.

  1. Login to Okta as an administrator and navigate to Security, API, and Tokens page.
  2. Click on the Create token button. The Create token window will appear.
  3. Enter a name for the token and click Create Token. The Create token window will be refreshed to display a token.
  4. Copy the token and store it in a safe location. Once you navigate from this window, the token cannot be displayed again.
    AD_4nXcdLyNWphC5tiw_n_hRBavQFAiAq1EyvgYbdUBoGtH2XjY6J6r6vi3dCkhxTZ35WTiccBscRdZj0aGpMBimB1WJ9VGIKodd8wWPFTnhu7FOIPLrAoSwcg4uqvcYlGQbhw6II-KiAR7QHcnpQOWDrM5Y7caX?key=N0jt-idpEXXEOTVW-FL6mw
  5. Open Postman and create a new GET request using the subdomain appending .okta.com/api/v1/apps followed by the app id seen when in Okta application settings.

    In my case, I am using an Oktapreview domain but the domain used for API connections is okta.com
    AD_4nXfBep8b3P9ASSgXvy6ELPG5yLG2wX-yAiBsNlNc7a6uoZxvLF8Jtl6Livz-xkGS1e_1ujPIWkiYUzlwvNAunAGx5tglVk2Hof5l0FlHT6zjfZzrfmp1QoEPQFjJL5YvrYQD22bcIEkjsQI7rWIYP_R0QaI?key=N0jt-idpEXXEOTVW-FL6mw
     
  6. Click Send. The Postman window will be refreshed to display body contents.
  7. In the body, navigate to the sign-on section and locate the ssoAcsUrlOverride setting, set to null. This is the setting to be overrode using a POST.
    AD_4nXfKZMQUK2lSlNJOn2qwKg9ZxhStDw2qwDsVvhHSDqT-p_1MP9dpJIyzGAtTxowRAD9jEgtEt-jvB65al3NcbIi7vD2beUf5XqWXjWaE5pkZj13kwWCFNd_hh3qQFdwNaPDl82PFKQID-hEASH_kA8KUK_BV?key=N0jt-idpEXXEOTVW-FL6mw
     
  8. Duplicate the tab with the GET request and change it to a PUT.
  9. Copy the body from the GET request and paste it into the body of the PUT request in raw format, using the radio button to select raw.
  10. Locate the ssoAcsUrlOverride setting and replace null with the SAML Proxy ACS URL encapsulated in double quotes.
  11. The ssoAcsUrlOverride setting should be overwritten and should be confirmed by using a GET request tab.

 

SFDC Application Access Testing

  1. When you access SFDC through Okta with the Netskope Client enabled, check SkopeIT Application Events. There will be logs displaying access with a Real-Time steering method of “Client”.
    AD_4nXf5wqyQOziFtIe_-75pvF1xjE4fjduYKA2r9Rrc3d3Wl37ApapbHWe3_3UCg6GNkhONLu41HkHmzFuXLx6dA9vsqY2cB1FS4lCg4EurXsBwvYtnMgZQ1-z_-4oCqe__3yHiAnypS3_MSRfGJwJA4KgGcBn1?key=N0jt-idpEXXEOTVW-FL6mw
     
  2. When you access SFDC through Okta with the Netskope Client disabled, the URL will be rewritten similar to the following.  https://netskope50-dev-ed---develop---lightning.force.com.rproxy.goskope.com/lightning/page/home

    In addition, there will be logs displaying access with a Real-Time steering method of “Reverse Proxy”.
    AD_4nXdaEbSQW_-afqUM9G1cmVoDlWfFCHZ7yNEor2mTZ4fyKhL4rwoJrhbk9MbEEA5akiYg2HSfj3exPhevxXPYNGpFPfmCLEOis1SzT4pkwbdSy4UK4mn30tuhnqZLG5fiwlpOpPiELcPZAmS-nZpT2qSPSsA?key=N0jt-idpEXXEOTVW-FL6mw


    AD_4nXcfW_caGUOY3NoC-lpWtS251NvFWflIAf77wjL6Qg-IQ4aKFeGNmW8JRf8xMG8KgWN5ThcOO97zDEyHhYC6d-KHSQUOpRDr5iWyXSYaS3eBs-YGjCFKqSv__CXJoSEvQLOFqY5XWbT4FUSqlH2_ewWaVqR1?key=N0jt-idpEXXEOTVW-FL6mw

 

Use Case

RProxy shines when controlling access to SFDC on unmanaged devices, devices that do not have a Netskope Client enabled. A device that is unmanaged might be a personal machine that persons use to access SFDC while at home or a new machine deployed to an end user that does not have the client yet installed.

 

In this example, a remote user has been found to be accessing SFDC over RProxy and created a contact.


 

AD_4nXddvAeKiqXRpnEdQUzZsL-kt5hFE9jKxylcm-TU4EVSRCPNJxYoaAq9o6DrRvKFL6yv13ZhNnUv8cWPa2fVX8hkZyjAG3EN-8Jxy3cyVnGclUHj1UhdBuswDrvtPavz_IB8ldRc8mh5_kBxFmBI8SNZCElu?key=N0jt-idpEXXEOTVW-FL6mw


 

We want to stop any type of activity that might allow for alteration of contacts, send data, share, and so forth.  We are going to give the end user the ability to passively use SFDC. In order to do so, we need to create a RTP that blocks those activities and notifies that end user that the activity has been blocked by choice.

 

  1. Navigate to Policies, Real-time Protection. Click on the New Policy drop-down menu and select Cloud App Access. The Real-time Protection Policy page will be displayed.
    AD_4nXeE98J2stLoqyXaZJ9ifPlleg_PWC6ECro7mY-gXk625WLpwYgYS9IC7oi8hfu_WQxjevfGn9UFDxu2XVTpikrygmvm0GzOmDSBDOJhYfPhN2CwZ_mulPWEL7eDhs6NenRTNAUDP9A6OnGGWOU39LW3txX8?key=N0jt-idpEXXEOTVW-FL6mw
     
  2. Click on the drop-down menu for Add Criteria underneath Source, select Access Method. Then select Reverse Proxy from the drop-down menu in the Source field.
  3. In the application field, navigate to Salesforce.com and check the box next to it.
  4. In the Activities field, select all of the activities except Login Attempt, Login Failed, Login Successful, Logout, and View.
  5. In the Action drop-down menu, select Block. In the template drop-down menu, select a template to notify users.
  6. In the Policy Name field, give the policy a name which is relevant to the actions performed. 
    AD_4nXc7wzXpcz74YFFTiffmGP_bknbMEOQ86oNae_wFFcYomEb53TOzKGxFoiEyNjnaEv-k3TrxoZyggGtSnio-PCUhd2hvh3fWk0skOMRt6bWQXwbuEkUi_qj1myUzKxWcufe1DyBP7ORCuQK_MiO46NSeiIma?key=N0jt-idpEXXEOTVW-FL6mw
     
  7. Save the policy and apply the changes on the next page.
  8. Test creating a few objects such as users or contacts. Review SkopeIT Application Events and Alerts for the blocks.
    AD_4nXeRpw1wRCoLwdBDMLXQ8dcXGhsGGQoNgxzYS-axt6iHSoEilhdsAt7d5WrKCIsAG2g_shDlrcaUxB15VzSU-BeDW1EuioRQ-lG7kjaiqeAg3qo0OasQQymxZiCnNVNVRVgEbENv7VUHMsl-IVqaaCfo-lA?key=N0jt-idpEXXEOTVW-FL6mw
     

Summary

Netskope’s RProxy should be deployed as the last access method for real time steering to the Netskope tenant for protections. The exception is when RProxy is deployed as a service in Google Workspace or Microsoft Azure. The ability to allow for unmanaged devices access to SaaS applications is unmatched when it comes to security. This is one of many reasons as to why Netskope is “A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE)”!

Be sure to download the Gartner® Magic Quadrant™ for Security Service Edge (SSE) here!

Stevan Pierce, CEH CISSP

0 replies

Be the first to reply!

Reply


Terms & ConditionsCookie settings