Onboard and deploy Conditional Access App Control for any web app using PingOne as the identity provider (IdP)

You can configure session controls in Microsoft Cloud App Security to work with any web app and any third-party IdP. This article describes how to route app sessions from PingOne to Cloud App Security for real-time session controls.

For this article, we'll use the Salesforce app as an example of a web app being configured to use Cloud App Security session controls.

Prerequisites

  • Your organization must have the following licenses to use Conditional Access App Control:

    • A relevant PingOne license (required for single sign-on)
    • Microsoft Cloud App Security
  • An existing PingOne single sign-on configuration for the app using the SAML 2.0 authentication protocol

To configure session controls for your app using PingOne as the IdP

Use the following steps to route your web app sessions from PingOne to Cloud App Security. For Azure AD configuration steps, see Configure integration with Azure AD.

Note

You can configure the app's SAML single sign-on information provided by PingOne using one of the following methods:

  • Option 1: Uploading the app's SAML metadata file.
  • Option 2: Manually providing the app's SAML data.

In the following steps, we'll use option 2.

Step 1: Get your app's SAML single sign-on settings

Step 2: Configure Cloud App Security with your app's SAML information

Step 3: Create a custom app in PingOne

Step 4: Configure Cloud App Security with the PingOne app's information

Step 5: Complete the custom app in PingOne

Step 6: Get the app changes in Cloud App Security

Step 7: Complete the app changes

Step 8: Complete the configuration in Cloud App Security

Step 1: Get your app's SAML single sign-on settings

  1. In Salesforce, browse to Setup > Settings > Identity > Single Sign-On Settings.

  2. Under Single Sign-On Settings, click on the name of the your existing SAML 2.0 configuration.

    Select Salesforce SSO settings

  3. On the SAML Single Sign-On Setting page, make a note of the Salesforce Login URL. You'll need this later.

    Note

    If your app provides a SAML certificate, download the certificate file.

    Select Salesforce SSO login URL

Step 2: Configure Cloud App Security with your app's SAML information

  1. In Cloud App Security, browse to Investigate > Connected apps > Conditional Access App Control apps.

  2. Click the plus sign (+), and in the pop-up, select the app you want to deploy, and then click Start Wizard.

  3. On the APP INFORMATION page, select Fill in data manually, in the Assertion consumer service URL enter the Salesforce Login URL you noted earlier, and then click Next.

    Note

    If your app provides a SAML certificate, select Use <app_name> SAML certificate and upload the certificate file.

    Manually fill in Salesforce SAML information

Step 3: Create a custom app in PingOne

Before you proceed, use the following steps to get information from your existing Salesforce app.

  1. In PingOne, edit your existing Salesforce app.

  2. On the SSO Attribute Mapping page, make a note of the SAML_SUBJECT attribute and value, and then download the Signing Certificate and SAML Metadata files.

    Note existing Salesforce app's attributes

  3. Open the SAML metadata file and make a note of the PingOne SingleSignOnService Location. You'll need this later.

    Note existing Salesforce app's SSO service location

  4. On the Group Access page, make a note of the assigned groups.

    Note existing Salesforce app's assigned groups

Then use the instructions from the Add a SAML application with your identity provider page to configure a custom app in your IdP's portal.

Add SAML app with your identity provider

Note

Configuring a custom app enables you to test the existing app with access and session controls without changing the current behavior for your organization.

  1. Create a New SAML Application.

    In PingOne, create new custom Salesforce app

  2. On the Application Details page, fill out the form, and then click Continue to Next Step.

    Tip

    Use an app name that will help you to differentiate between the custom app and the existing Salesforce app.

    Fill out the custom app details

  3. On the Application Configuration page, do the following, and then click Continue to Next Step.

    • In the Single sign-on service URL field, enter the Salesforce Login URL you noted earlier.
    • In the Entity ID field, enter a unique ID starting with https://. Make sure this is different from the exiting Salesforce PingOne app's configuration.
    • Make a note of the Entity ID. You'll need this later.

    Configure custom app with Salesforce SAML details

  4. On the SSO Attribute Mapping page, add the existing Salesforce app's SAML_SUBJECT attribute and value you noted earlier, and then click Continue to Next Step.

    Add attributes to custom Salesforce app

  5. On the Group Access page, add the existing Salesforce app's groups you noted earlier, and complete the configuration.

    Assign groups to custom Salesforce app

Step 4: Configure Cloud App Security with the PingOne app's information

  1. Back in the Cloud App Security IDENTITY PROVIDER page, click Next to proceed.

  2. On the next page, select Fill in data manually, do the following, and then click Next.

    • For the Assertion consumer service URL, enter the Salesforce Login URL you noted earlier.
    • Select Upload identity provider's SAML certificate and upload the certificate file you downloaded earlier.

    Add SSO service URL and SAML certificate

  3. On the next page, make a note of the following information, and then click Next. You'll need the information later.

    • Cloud App Security single sign-on URL
    • Cloud App Security attributes and values

    In Cloud App Security, note SSO URL and attributes

Step 5: Complete the custom app in PingOne

  1. In PingOne, locate and edit the custom Salesforce app.

    Locate and edit custom Salesforce app

  2. In the Assertion Consumer Service (ACS) field, replace the URL with the Cloud App Security single sign-on URL you noted earlier, and then click Next.

    Replace ACS in custom Salesforce app

  3. Add the Cloud App Security attributes and values you noted earlier to the app's properties.

    Add Cloud App Security attributes to custom Salesforce app

  4. Save your settings.

Step 6: Get the app changes in Cloud App Security

Back in the Cloud App Security APP CHANGES page, do the following, but don't click Finish. You'll need the information later.

  • Copy the Cloud App Security SAML Single sign-on URL
  • Download the Cloud App Security SAML certificate

Note the Cloud App Security SAML SSO URL and download the certificate

Step 7: Complete the app changes

In Salesforce, browse to Setup > Settings > Identity > Single Sign-On Settings, and do the following:

  1. Recommended: Create a backup of your current settings.

  2. Replace the Identity Provider Login URL field value with the Cloud App Security SAML single sign-on URL you noted earlier.

  3. Upload the Cloud App Security SAML certificate you downloaded earlier.

  4. Replace the Entity ID field value with the PingOne custom app Entity ID you noted earlier.

  5. Click Save.

    Note

    The Cloud App Security SAML certificate is valid for one year. After it expires, a new certificate will need to be generated.

    Update custom Salesforce app with Cloud App Security SAML details

Step 8: Complete the configuration in Cloud App Security

  • Back in the Cloud App Security APP CHANGES page, click Finish. After completing the wizard, all associated login requests to this app will be routed through Conditional Access App Control.

Next steps

See also

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.