Tutorial: Azure Active Directory integration with Symantec Web Security Service (WSS)

In this tutorial, you will learn how to integrate your Symantec Web Security Service (WSS) account with your Azure Active Directory (Azure AD) account so that WSS can authenticate an end user provisioned in the Azure AD using SAML authentication and enforce user or group level policy rules.

Integrating Symantec Web Security Service (WSS) with Azure AD provides you with the following benefits:

  • Manage all of the end users and groups used by your WSS account from your Azure AD portal.

  • Allow the end users to authenticate themselves in WSS using their Azure AD credentials.

  • Enable the enforcement of user and group level policy rules defined in your WSS account.

If you want to know more details about SaaS app integration with Azure AD, see What is application access and single sign-on with Azure Active Directory. If you don't have an Azure subscription, create a free account before you begin.

Prerequisites

To configure Azure AD integration with Symantec Web Security Service (WSS), you need the following items:

  • An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial here
  • Symantec Web Security Service (WSS) single sign-on enabled subscription

Scenario description

In this tutorial, you configure and test Azure AD single sign-on in a test environment.

  • Symantec Web Security Service (WSS) supports IDP initiated SSO

To configure the integration of Symantec Web Security Service (WSS) into Azure AD, you need to add Symantec Web Security Service (WSS) from the gallery to your list of managed SaaS apps.

To add Symantec Web Security Service (WSS) from the gallery, perform the following steps:

  1. In the Azure portal, on the left navigation panel, click Azure Active Directory icon.

    The Azure Active Directory button

  2. Navigate to Enterprise Applications and then select the All Applications option.

    The Enterprise applications blade

  3. To add new application, click New application button on the top of dialog.

    The New application button

  4. In the search box, type Symantec Web Security Service (WSS), select Symantec Web Security Service (WSS) from result panel then click Add button to add the application.

    Symantec Web Security Service (WSS) in the results list

Configure and test Azure AD single sign-on

In this section, you configure and test Azure AD single sign-on with Symantec Web Security Service (WSS) based on a test user called Britta Simon. For single sign-on to work, a link relationship between an Azure AD user and the related user in Symantec Web Security Service (WSS) needs to be established.

To configure and test Azure AD single sign-on with Symantec Web Security Service (WSS), you need to complete the following building blocks:

  1. Configure Azure AD Single Sign-On - to enable your users to use this feature.
  2. Configure Symantec Web Security Service (WSS) Single Sign-On - to configure the Single Sign-On settings on application side.
  3. Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
  4. Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
  5. Create Symantec Web Security Service (WSS) test user - to have a counterpart of Britta Simon in Symantec Web Security Service (WSS) that is linked to the Azure AD representation of user.
  6. Test single sign-on - to verify whether the configuration works.

Configure Azure AD single sign-on

In this section, you enable Azure AD single sign-on in the Azure portal.

To configure Azure AD single sign-on with Symantec Web Security Service (WSS), perform the following steps:

  1. In the Azure portal, on the Symantec Web Security Service (WSS) application integration page, select Single sign-on.

    Configure single sign-on link

  2. On the Select a Single sign-on method dialog, select SAML/WS-Fed mode to enable single sign-on.

    Single sign-on select mode

  3. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration dialog.

    Edit Basic SAML Configuration

  4. On the Basic SAML Configuration dialog, perform the following steps:

    Symantec Web Security Service (WSS) Domain and URLs single sign-on information

    a. In the Identifier text box, type a URL: https://saml.threatpulse.net:8443/saml/saml_realm

    b. In the Reply URL text box, type a URL: https://saml.threatpulse.net:8443/saml/saml_realm/bcsamlpost

    Note

    Contact Symantec Web Security Service (WSS) Client support team f the values for the Identifier and Reply URL are not working for some reason.. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

  5. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Federation Metadata XML from the given options as per your requirement and save it on your computer.

    The Certificate download link

Configure Symantec Web Security Service (WSS) Single Sign-On

To configure single sign-on on the Symantec Web Security Service (WSS) side, refer to the WSS online documentation. The downloaded Federation Metadata XML will need to be imported into the WSS portal. Contact the Symantec Web Security Service (WSS) support team if you need assistance with the configuration on the WSS portal.

Create an Azure AD test user

The objective of this section is to create a test user in the Azure portal called Britta Simon.

  1. In the Azure portal, in the left pane, select Azure Active Directory, select Users, and then select All users.

    The "Users and groups" and "All users" links

  2. Select New user at the top of the screen.

    New user Button

  3. In the User properties, perform the following steps.

    The User dialog box

    a. In the Name field enter BrittaSimon.

    b. In the User name field type brittasimon@yourcompanydomain.extension
    For example, BrittaSimon@contoso.com

    c. Select Show password check box, and then write down the value that's displayed in the Password box.

    d. Click Create.

Assign the Azure AD test user

In this section, you enable Britta Simon to use Azure single sign-on by granting access to Symantec Web Security Service (WSS).

  1. In the Azure portal, select Enterprise Applications, select All applications, then select Symantec Web Security Service (WSS).

    Enterprise applications blade

  2. In the applications list, type and select Symantec Web Security Service (WSS).

    The Symantec Web Security Service (WSS) link in the Applications list

  3. In the menu on the left, select Users and groups.

    The "Users and groups" link

  4. Click the Add user button, then select Users and groups in the Add Assignment dialog.

    The Add Assignment pane

  5. In the Users and groups dialog select Britta Simon in the Users list, then click the Select button at the bottom of the screen.

  6. If you are expecting any role value in the SAML assertion then in the Select Role dialog select the appropriate role for the user from the list, then click the Select button at the bottom of the screen.

  7. In the Add Assignment dialog click the Assign button.

Create Symantec Web Security Service (WSS) test user

In this section, you create a user called Britta Simon in Symantec Web Security Service (WSS). The corresponding end username can be manually created in the WSS portal or you can wait for the users/groups provisioned in the Azure AD to be synchronized to the WSS portal after a few minutes (~15 minutes). Users must be created and activated before you use single sign-on. The public IP address of the end user machine, which will be used to browse websites also need to be provisioned in the Symantec Web Security Service (WSS) portal.

Note

Please click here to get your machine's public IPaddress.

Test single sign-on

In this section, you'll test the single sign-on functionality now that you've configured your WSS account to use your Azure AD for SAML authentication.

After you have configured your web browser to proxy traffic to WSS, when you open your web browser and try to browse to a site then you'll be redirected to the Azure sign-on page. Enter the credentials of the test end user that has been provisioned in the Azure AD (that is, BrittaSimon) and associated password. Once authenticated, you'll be able to browse to the website that you chose. Should you create a policy rule on the WSS side to block BrittaSimon from browsing to a particular site then you should see the WSS block page when you attempt to browse to that site as user BrittaSimon.

Additional Resources