Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Customizing inline-CASB headers for restricted SaaS access

Customizing inline-CASB headers for restricted SaaS access

Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and Slack by tenant to block non-company login attempts and secure the users from accessing non-approved cloud resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as the company’s tenant and access the organization’s applications.

Typically, access requests from clients pass through a security device or service, in this case FortiSASE, which inserts headers to notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service login page and are only allowed to log in if they belong to the permitted tenant list.

To customize headers for Office 365 tenant restriction, Google Workspace account access control, and Slack-approved workspaces for current network:
Note

Ensure that you have reviewed Prerequisites and have them in place before proceeding to customize headers to ensure proper functionality.
  1. Go to Configuration > Security and select the desired Profile Group.
  2. In the Web Filter With Inline-CASB widget, click Customize.
  3. In the Web Filter With Inline-CASB slide-in, click the Inline-CASB Headers tab, then click Create to create a new inline-CASB header.
  4. In the Inline-CASB Header slide-in, configure an inline-CASB header according to the vendors' specifications:
    1. Set the Header name. The service provider defines this.
    2. Set the Header content or HTTP header content to be inserted into the traffic. Your settings define this.
    3. Set the Action to one of the following:

      Action when HTTP header is forwarded

      Description

      Add to request (default)

      Add the HTTP header to request.

      Add to response

      Add the HTTP header to response.

      Remove from request

      Remove the HTTP header from request.

      Remove from response

      Remove the HTTP header from response.

    4. Set the Destination. This is an address object or address group containing domains that the service provider specifies.

  5. Click OK to save the configured inline-CASB header.
  6. Configure the applicable policy to use the security profile group with the Web Filter With Inline-CASB containing the newly configured Inline-CASB header:
    • For FortiClient agent-based remote users, go to Configuration > Policies and do one of the following:
      • Create a new policy and select the security profile group.
      • Edit an existing policy and select the security profile group.
    • For SWG agentless remote users, go to Configuration > SWG Policies and do one of the following:
      • Create a new SWG policy and select the security profile group.
      • Edit an existing SWG policy and select the security profile group.

For details on security profile groups and configuring them in policies, see Security profile groups.

The following tables list the vendor-specific headers that you must configure in the inline-CASB headers page:

Microsoft Office 365

Header name

Header content

Example header content

Action

Destination

Restrict-Access-To-Tenants

Domains and tenant ID

azure.domain.com, domain.com, d0cf12c3-456c-7e89-0d1e-03e456de78f9

Add to request

Use the built-in Microsoft Office 365 address group.

Restrict-Access-Context

Directory ID

d1cf23c4-567c-8e90-1d2e-03e456de78f9

sec-Restrict-Tenant-Access-Policy

restrict-msa

restrict-msa

Create a new custom address object for login.live.com

The built-in Microsoft Office 365 address group includes:

  • login.microsoftonline.com
  • login.microsoft.com
  • login.windows.net
Note

For proper functioning of Microsoft Office 365 tenant restrictions, you must include the tenant ID in addition to the domains in a comma-separated list configured for Restrict-Access-To-Tenants.

Google Workspace

Header name

Header content

Example header content

Action

Destination

X-GoogApps-Allowed-Domains

Domain

mydomain1.com, mydomain2.com

Add to request

Use the built-in G Suite address group.

The built-in G Suite address group includes:

  • gmail.com
  • wildcard.google.com (*.google.com)

Slack

Header name

Header content

Example header content

Action

Destination

X-Slack-Allowed-Workspaces-Requester

 Workspace or organization ID representing your Business+ or Enterprise Grid account

xxxxxx

 Add to request Create a new address object called wildcard.slack.com containing an FQDN of *.slack.com

X-Slack-Allowed-Workspaces

Organization IDs or workspace ID

yyyyyy

You must manually create a new address object called wildcard.slack.com containing the FQDN of *.slack.com via the Create button when in the Select Entries slide-in resulting from clicking the Destination in the Inline-CASB Header slide-in.

Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See the vendor documentation in SaaS vendor-specific headers.

Previous
Next

Customizing inline-CASB headers for restricted SaaS access

Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and Slack by tenant to block non-company login attempts and secure the users from accessing non-approved cloud resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as the company’s tenant and access the organization’s applications.

Typically, access requests from clients pass through a security device or service, in this case FortiSASE, which inserts headers to notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service login page and are only allowed to log in if they belong to the permitted tenant list.

To customize headers for Office 365 tenant restriction, Google Workspace account access control, and Slack-approved workspaces for current network:
Note

Ensure that you have reviewed Prerequisites and have them in place before proceeding to customize headers to ensure proper functionality.
  1. Go to Configuration > Security and select the desired Profile Group.
  2. In the Web Filter With Inline-CASB widget, click Customize.
  3. In the Web Filter With Inline-CASB slide-in, click the Inline-CASB Headers tab, then click Create to create a new inline-CASB header.
  4. In the Inline-CASB Header slide-in, configure an inline-CASB header according to the vendors' specifications:
    1. Set the Header name. The service provider defines this.
    2. Set the Header content or HTTP header content to be inserted into the traffic. Your settings define this.
    3. Set the Action to one of the following:

      Action when HTTP header is forwarded

      Description

      Add to request (default)

      Add the HTTP header to request.

      Add to response

      Add the HTTP header to response.

      Remove from request

      Remove the HTTP header from request.

      Remove from response

      Remove the HTTP header from response.

    4. Set the Destination. This is an address object or address group containing domains that the service provider specifies.

  5. Click OK to save the configured inline-CASB header.
  6. Configure the applicable policy to use the security profile group with the Web Filter With Inline-CASB containing the newly configured Inline-CASB header:
    • For FortiClient agent-based remote users, go to Configuration > Policies and do one of the following:
      • Create a new policy and select the security profile group.
      • Edit an existing policy and select the security profile group.
    • For SWG agentless remote users, go to Configuration > SWG Policies and do one of the following:
      • Create a new SWG policy and select the security profile group.
      • Edit an existing SWG policy and select the security profile group.

For details on security profile groups and configuring them in policies, see Security profile groups.

The following tables list the vendor-specific headers that you must configure in the inline-CASB headers page:

Microsoft Office 365

Header name

Header content

Example header content

Action

Destination

Restrict-Access-To-Tenants

Domains and tenant ID

azure.domain.com, domain.com, d0cf12c3-456c-7e89-0d1e-03e456de78f9

Add to request

Use the built-in Microsoft Office 365 address group.

Restrict-Access-Context

Directory ID

d1cf23c4-567c-8e90-1d2e-03e456de78f9

sec-Restrict-Tenant-Access-Policy

restrict-msa

restrict-msa

Create a new custom address object for login.live.com

The built-in Microsoft Office 365 address group includes:

  • login.microsoftonline.com
  • login.microsoft.com
  • login.windows.net
Note

For proper functioning of Microsoft Office 365 tenant restrictions, you must include the tenant ID in addition to the domains in a comma-separated list configured for Restrict-Access-To-Tenants.

Google Workspace

Header name

Header content

Example header content

Action

Destination

X-GoogApps-Allowed-Domains

Domain

mydomain1.com, mydomain2.com

Add to request

Use the built-in G Suite address group.

The built-in G Suite address group includes:

  • gmail.com
  • wildcard.google.com (*.google.com)

Slack

Header name

Header content

Example header content

Action

Destination

X-Slack-Allowed-Workspaces-Requester

 Workspace or organization ID representing your Business+ or Enterprise Grid account

xxxxxx

 Add to request Create a new address object called wildcard.slack.com containing an FQDN of *.slack.com

X-Slack-Allowed-Workspaces

Organization IDs or workspace ID

yyyyyy

You must manually create a new address object called wildcard.slack.com containing the FQDN of *.slack.com via the Create button when in the Select Entries slide-in resulting from clicking the Destination in the Inline-CASB Header slide-in.

Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See the vendor documentation in SaaS vendor-specific headers.

Previous
Next