Restricted SaaS access
Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and Dropbox by tenant to block non-company login attempts and secure the users from accessing non-approved cloud resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as the company’s tenant and access the organization’s applications.
To implement this, access requests from the clients pass through the company’s web proxy, which inserts headers to notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service login page, and are only allowed to log in if they belong to the permitted tenant list.
For more information, refer to the vendor-specific documentation:
- Office 365: Restrict access to a tenant
- Google Workspace: Block access to consumer accounts
- Dropbox: Network control
Basic configuration
A web proxy profile can specify access permissions for Microsoft Office 365, Google Workspace, and Dropbox by inserting vendor-defined headers that restrict access to the specific accounts. Custom headers can also be inserted for any destination. The web proxy profile can then be applied to a firewall policy to control the header's insertion.
To implement Office 365 tenant restriction, Google Workspace account access control, and Dropbox network access control:
-
Configure a web proxy profile according to the vendors' specifications:
-
Set the header name (defined by the service provider).
-
Set the traffic destination (the service provider).
-
Set the HTTP header content to be inserted into the traffic (defined by your settings).
config web-proxy profile edit <name> config headers edit <id> set name <string> set dstaddr <address> set action add-to-request set base64-encoding disable set add-option new set protocol https http set content <string> next end next end -
-
Apply the web proxy profile to a policy. SSL deep inspection must be used in the firewall policy:
The following table lists the vendor-specific config headers settings that must be configured in the web proxy profile (config web-proxy profile):
|
Setting |
Vendor specification |
||
|---|---|---|---|
|
Microsoft Office 365 |
Google Workspace |
Dropbox |
|
|
name <string> |
|
|
|
|
dstaddr <address> |
|
|
|
|
content <string> |
|
|
|
Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See the vendor documentation for more details.
Microsoft Office 365 example
In this example, a web proxy profile is created to control permissions for Microsoft Office 365 to allow corporate domains and deny personal accounts, such as Hotmail and Outlook that are accessed through login.live.com.
- When a user attempts to access login.microsoftonline.com, login.microsoft.com, or login.windows.net, the traffic will match a proxy inspection mode firewall policy with the assigned web proxy profile.
- The web proxy profile adds new headers to the customer tenant, indicating the allowed domain and restricted access for personal accounts. Next, the FortiGate starts a new connection with the Microsoft Office 365 domain controller including the new headers.
- The Microsoft Office 365 domain controller assesses this data and will allow or deny this access, then sends a reply to the FortiGate.
- The FortiGate sends a reply to the client.
The FortiGate will only indicate the correct domains to be allowed or denied through the headers to Microsoft. The custom sign-in portal in the browser is generated by Microsoft.
Configuration summary
The following must be configured in FortiOS:
- An FQDN address for login.live.com
- An SSL inspection profile that uses deep inspection with an exemption for login.live.com
Ensure that the firewall certificate is installed on the client machines. A company certificate signed by an internal CA is recommended.
- A web filter profile in proxy mode with static URL filters for the SNI URLs
- A web proxy profile that adds new headers to the customer tenant
- A firewall policy using proxy mode inspection that applies the configured SSL SSL inspection, web filter, and web proxy profiles
The Restrict-Access-To-Tenants and Restrict-Access-Context headers are inserted for incoming requests to: login.microsoftonline.com, login.microsoft.com, and login.windows.net, which are part of the Microsoft Office 365 address group.
To restrict access to personal accounts using the login.live.com domain, the sec-Restrict-Tenant-Access-Policy header is inserted and uses restrict-msa as the header content.
Before configuring the FortiGate, collect the information related to the company domain in the Office 365 contract.
Restrict-Access-To-Tenants: your <domain.com>Restrict-Access-Context: Directory ID
|
|
To find the Directory ID related to the domain, locate it in the Azure portal, or use the whatismytenantid.com open tool. |
To configure the FortiGate:
- Add the FQDN address for login.live.com:
config firewall address edit "login.live.com" set type fqdn set fqdn "login.live.com" next end - Configure the SSL inspection profile. In this example, the
deep-inspectionprofile is cloned, and thelive.comFQDN is removed from the exemption list.- Clone the
deep-inspectionprofile:config firewall ssl-ssh-profile clone "deep-inspection" to "Tenant" end - Edit the
Tenantprofile and removelive.comfrom theconfig ssl-exemptlist.
- Clone the
- Configure the URL filter list:
config webfilter urlfilter edit 1 set name "Auto-webfilter-urlfilter" config entries edit 1 set url "login.microsoftonline.com" set action allow next edit 2 set url "login.microsoft.com" set action allow next edit 3 set url "login.windows.net" set action allow next edit 4 set url "login.live.com" set action allow next end next end - Configure the web filter profile:
config webfilter profile edit "Tenant" set comment "Office 365" set feature-set proxy config web set urlfilter-table 1 end next end - Configure the web proxy profile (enter the header names exactly as shown):
config web-proxy profile edit "SaaS-Tenant-Restriction" set header-client-ip pass set header-via-request pass set header-via-response pass set header-x-forwarded-for pass set header-x-forwarded-client-cert pass set header-front-end-https pass set header-x-authenticated-user pass set header-x-authenticated-groups pass set strip-encoding disable set log-header-change disable config headers edit 1 set name "Restrict-Access-To-Tenants" set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net" set action add-to-request set base64-encoding disable set add-option new set protocol https http set content <domain> next edit 2 set name "Restrict-Access-Context" set dstaddr "login.microsoftonline.com" "login.microsoft.com" "login.windows.net" set action add-to-request set base64-encoding disable set add-option new set protocol https http set content <directory_ID> next edit 3 set name "sec-Restrict-Tenant-Access-Policy" set dstaddr "login.live.com" set action add-to-request set base64-encoding disable set add-option new set protocol https http set content "restrict-msa" next end next end - Configure the firewall policy:
config firewall policy edit 10 set name "Tenant" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "users-lan" set dstaddr "login.microsoft.com" "login.microsoftonline.com" "login.windows.net" "login.live.com" set schedule "always" set service "HTTP" "HTTPS" set utm-status enable set inspection-mode proxy set webproxy-profile "SaaS-Tenant-Restriction" set ssl-ssh-profile "Tenant" set webfilter-profile "Tenant" set logtraffic all set nat enable next end
Testing the access
To test the access to corporate domains and personal accounts:
- Get a client to log in with their corporate email using the login.microsoftonline.com domain.
- The client is able to enter their credentials and log in successfully.
- Get a client to log in to their personal Outlook account.
- After the client enters their credentials, a message appears that they cannot access this resource because it is restricted by the cross-tenant access policy.
Verifying the header insertion
To verify the header insertion for corporate domains and personal accounts:
- On the FortiGate, start running the WAD debugs:
# diagnose wad debug enable category http # diagnose wad debug enable level info # diagnose debug enable
- After a client attempts to access corporate domains, verify that the header information is sent to the Microsoft Active Directory:
[I][p:234][s:2481][r:33] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0cd468 Forward request to server: POST /common/GetCredentialType?mkt=en-US HTTP/1.1 Host: login.microsoftonline.com Connection: keep-alive Content-Length: 1961 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" hpgrequestid: d7f706a8-1143-4cdd-ad52-1cc69dc7bb00 sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 client-request-id: 5c3d196d-5939-45cc-a45b-232b9ed13fce ... Restrict-Access-To-Tenants: fortinet-us.com Restrict-Access-Context: ********-****-452f-8535-************
- After a client attempts to access a personal account, verify that the header information is sent to the Microsoft Active Directory:
[I][p:234][s:2519][r:34] wad_dump_fwd_http_req :2567 hreq=0x7fc75f0ce6a8 Forward request to server: GET /oauth20_authorize.srf?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&scope=openid+profile+https%3a%2f%2fwww.office.com%2fv2%2fOfficeHome.All&redirect_uri=https%3a%2f%2fwww.office.com%2flandingv2&response_type=code+id_token&state=7tAtndYhcA3132S--UOTyLVEtyIZs8FgndTpeYM9mJ1EeA-X5nfqrSalnnPH41cHxfHGug6N5cbliK676v6xZgszgH_JARVKrptZwBvjI2cbnZ4mttYNNdK1FTlbEtu5VBjgtBOX2u6v3F_9g7UikCpGTnBRGhvO2pyTndT3EEIyAHvhg9LsKRtY3kxce8dQkfk1iDjLcc3q-01r4rpxSx2xZSbwg_KkAN3kCRQ9uLfE0ziHAcpvunuKmzGBWKnBhC4sJJkXrMEfXwCg4nsOjg&response_mode=form_post&nonce=637877163655610380.MjNjZmM4NzQtOTU5My00OGZlLTk0NTItZTE5NDU2YjVlODdjNjViOTQwYmUtOTZlMS00M2Y5LTkyN2MtN2QyMjgwNjcxY2Uz&x-client-SKU=ID_NETSTANDARD2_0&x-client-Ver=6.12.1.0&uaid=5c3d196d593945cca45b232b9ed13fce&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&epct=AQABAAAAAAD--DLA3VO7QrddgJg7WevrfA6SLaDsJUcjb1Bg9OKonF3d_lfNJsdDAIH5hlJdUSGejEBIqsko-A7JX67PzaGdEJgOIGa37VhJzGTYBZ-KgATe9FHssnNmLjM_dojr0dAT83xDhiqQTN2-UcYdcP2s3vPainF7Nqes5ecXRaEoE9Vw9-sN7jfASOkPRWW03aI6buz0niABvA860YOWDb98vdJWPGkWE-euDr6n8_zI5iAA&jshs=0&username=****************%40outlook.com&login_hint=***************%40outlook.com HTTP/1.1 Host: login.live.com Connection: keep-alive ... Referer: https://login.microsoftonline.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 sec-Restrict-Tenant-Access-Policy: restrict-msa