Configuring Azure Active Directory (AD) as an Identity Provider (IdP) with VMware Cloud Web Security

This section covers configuring Azure Active Directory (AD) as an Identity Provider (IdP) for VMware Cloud Web Security. Doing so allows Cloud Web Security policies to be configured to match on a username or groups as well as log the user access in the Web and DLP logs. We first cover the Azure AD configuration, and then the VMware SASE Orchestrator configuration.

Prerequisites

A user needs the following to configure an Azure Active Directory as an identity provider with VMware Cloud Web Security:

An Azure account
An Azure Active Directory (AD) tenant
Tip: The process for creating an Azure AD tenant is documented here.
A customer enterprise on a production VMware SASE Orchestrator with Cloud Web Security Enabled. The Orchestrator must use Release 4.5.0 or later.

Azure Configuration

Log into the Azure portal https://portal.azure.com/ using either your Enterprise credentials or a local user to your Azure AD tenant.
Access the Azure Active Directory service by searching for active directory in the top search bar.
Click on Enterprise Applications in the left-hand side panel:
Click on New application at the top of the Enterprise Applications panel:
Click on Create Your Own Application at the top of the New Application panel.
Enter a name (for example, Cloud Web Security, or CWS) and ensure that the Non-gallery radio option is selected.
Click Create at the bottom of the Create Your Own Application form.
Click on the Single sign-on panel using the left-side panel of your Cloud Web Security (CWS) enterprise application page.
Click SAML (Security Assertion Markup Language) as your single sign-on method of choice.

Fill in section (1) using the upper-right edit pencil icon as show below. Once all the fields are filled in, click Save at the top of the pop-over pane.


Field Name	Field Value	Field Description
Identifier (Entity ID)	https://safe-cws-sase.vmware.com/safeview-auth-server/saml/metadata	Azure AD allows multiple values. Set it to this value and select the Default checkbox for it. This is the Entity ID that Cloud Web Security will present itself as in the SAML AuthnRequest message.
Reply URL (ACS URL)	https://safe-cws-sase.vmware.com/safeview-auth-server/saml	This is the URL that Azure AD will redirect the SAML assertion payload to. This is how Cloud Web Security learns that the user authenticated successfully.
Sign-on URL	https://safe-cws-sase.vmware.com/safeview-auth-server/saml	This is used for Azure AD initiating authentication into Cloud Web Security (versus Cloud Web Security redirecting to Azure AD). This is not typically used.

Copy the following items from section (3) and (4) into a text editor (for example, Windows Notepad or Mac TextEdit).


Field Name	Field Description
Section (3) - Certificate (Base64	This is the public key of the key-pair used by Azure AD to sign SAML assertions. It allows Cloud Web Security to validate the assertions were truly created by this Azure AD integration. Download this file and keep its contents handy. It should start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
Section (4) - Azure AD Identifier	This is the SAML entityID for the Azure AD IdP. In the payload of the Reply URL (see step 10), this indicates to Cloud Web Security that the SAML assertion came from this Azure AD integration.
Section (4) - Login URL	This is the Azure AD login URL that Cloud Web Security will redirect to in order to allow the user to login to Azure AD (if they are not already logged in).

Click on the pencil icon in the upper-right corner of User Attributes & Claims.
Add a Group Claim using the following settings:
The Azure AD SAML configuration is now complete.
Click into the Users and Groups section of the Cloud Web Security Enterprise applications page.
Select users and/or groups that should be allowed access into the Cloud Web Security application. Then click Assign.
Important:
- If this step is not done, users will be shown an error that the application is not approved for them when they attempt to authenticate in the Cloud Web Security workflow.
- Groups are only an option if you have an upgraded Azure Active Directory P1 or P2 tenant. The default AD plan level will only allow assigning individual users to the application.

VMware SASE Orchestrator Configuration

Log onto the Orchestrator UI and then open the New Orchestrator UI.
Go to Cloud Web Security > Configure Authentication. Toggle Single Sign On to Enabled.
Configure the following:
- For SAML Server Internet Accessible select Yes
- For SAML Provider select Azure Active Directory
- For SAML 2.0 Endpoint, copy the Login URL from your notepad application as per step 11 of the Azure AD configuration.
- For Service Identifier (Issuer), copy the Azure AD Identifier from your notepad application as per step 11 of the Azure AD configuration.
- Enable SAML Verbose Debugging if desired.
  - This turns on debugging messages for a period of 2 hours, after which the debugging is disabled automatically.
  - The SAML debug messages can be viewed in the Chrome Developer console.
- X.509 Certificate, click on Add Certificate and copy the certificate from the notepad application as per step 11 of the Azure AD configuration and paste here, and then click Save.
- Finally, click Save Changes to complete the configuration changes on the Configure Authentication screen.
Add a SSL Bypass rule for the Workspace ONE Access domain.
- Under Cloud Web Security, Configure > Select Policy for example, "SecurityPolicy1"
- Click on Policy > Edit
- On the SSL Inspection tab
  - ClickAdd Rule
  - For Skip SSL Inspection based on: select Destination.
  - For Destination Type, select Destination Host/Domain
  - Then specify the domain login.microsoftonline.com.
  - On the Name and Tags screen, name the new rule and add a reason, if desired. Click Finish, and then Publish the applicable Security Policy to apply this new rule.
Important: The domain login.microsoftonline.com is part of the Microsoft 365 group of domains as found in the document: Domains and CIDRs Where an SSL Inspection Bypass Rule Is Recommended. If you have already configured an SSL Bypass rule which includes the full Microsoft 365 domain group, you can skip this step. If you attempt to configure the above rule while also having the full Microsoft 365 domain group included in an existing SSL Bypass rule, the new rule will throw an error as a unique domain may not be duplicated in multiple SSL bypass rules.
For more information on domains that should have SSL Bypass rules configured, consult Domains and CIDRs Where an SSL Inspection Bypass Rule Is Recommended.

Troubleshooting

This section covers potential issues with your Azure AD IdP for Cloud Web Security configuration.


Problem	Proposed Solution
Users are getting the following error message when authenticating:	Ensure that all users are assigned to the CWS enterprise application in Azure AD. Requiring user assignment can be disabled in the CWS Enterprise Application Properties tab in Azure AD. They can also be in a group that is assigned to the application, provided the Azure AD tenant has appropriate licensing. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal