2. Zero Trust Access (ZTA) - Add Providers (SSO)
General
Providers are 3rd parties that have authentication and authorization services such as Google or Microsoft. Most all organization emails belong to these 3rd parties so we can utilize those already existing logins for any applications that you want to employ ZTA for. By adding a provider that you already have login information for, you can now login with the click of a button which is called called Single-Sign On (SSO) access. You can see any providers you have already added under the Providers menu in the Zero Trust Access section of your organization.
Step 1: Create Provider
Provider uses federated identity, in which a third-party identity provider manages the user identities and authentication flow. The identity providers available by default are: Azure Active Directory (AAD), Google.
- On the dashboard, navigate to Setting > Provider.
- Click Add Provider.
- Fill information.
- Type: Authentication support service (Google, Azure)
- Name: Name of provider
- Client ID: Application ID is the ID of the specific application you have created in Azure Active Directory or Google
- Client Secret: Enables authentication to Azure Active Directory using a client secret that was generated for an App Registration
Discovery URL: Following discovery document path (https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration)
For example:
- Click Add.
Step 2: Create group
Group allow managing config rules across all accounts within an organization
- Navigate to Setting > Group.
- Click Add Group.
- Fill information.
- Name: Name of group
- Include: email, email domain
Step 3: Create Endpoint
- Navigate to Setting > Endpoint.
- Click Add Endpoint.
- Input Name, URL, Session Duration, Groups, Providers.
- Name: Name of endpoint
- URL: The endpoint to access
- Session Duration: Time frame during which the endpoint is created
- Groups: Defining rules that the accounts are allowed to access the endpoint
- Providers: Authentication support service (Google, Azure)
- Click Add.
- Go to the endpoint to test.