Customizing inline-CASB headers for restricted SaaS access
Large organizations may want to restrict SaaS access to resources like Microsoft Office 365, Google Workspace, and Slack by tenant to block non-company login attempts and secure the users from accessing non-approved cloud resources. Many cloud vendors enable this by applying tenant restrictions for access control. For example, users accessing Microsoft 365 applications with tenant restrictions through the corporate proxy will only be allowed to log in as the company’s tenant and access the organization’s applications.
Typically, access requests from clients pass through a security device or service, in this case FortiSASE, which inserts headers to notify the SaaS service to apply tenant restrictions with the permitted tenant list. Users are redirected the SaaS service login page and are only allowed to log in if they belong to the permitted tenant list.
To customize headers for Office 365 tenant restriction, Google Workspace account access control, and Slack-approved workspaces for current network:
Ensure that you have reviewed Prerequisites and have them in place before proceeding to customize headers to ensure proper functionality. |
- Go to Configuration > Security and select the desired Profile Group.
- In the Web Filter With Inline-CASB widget, click Customize.
- In the Web Filter With Inline-CASB slide-in, click the Inline-CASB Headers tab, then click Create to create a new inline-CASB header.
- In the Inline-CASB Header slide-in, configure an inline-CASB header according to the vendors' specifications:
- Set the Header name. The service provider defines this.
- Set the Header content or HTTP header content to be inserted into the traffic. Your settings define this.
- Set the Action to one of the following:
Action when HTTP header is forwarded
Description
Add to request (default)
Add the HTTP header to request.
Add to response
Add the HTTP header to response.
Remove from request
Remove the HTTP header from request.
Remove from response
Remove the HTTP header from response.
- Set the Destination. This is an address object or address group containing domains that the service provider specifies.
- Click OK to save the configured inline-CASB header.
- Configure the applicable policy to use the security profile group with the Web Filter With Inline-CASB containing the newly configured Inline-CASB header:
- For FortiClient agent-based remote users, go to Configuration > Policies and do one of the following:
- Create a new policy and select the security profile group.
- Edit an existing policy and select the security profile group.
- For SWG agentless remote users, go to Configuration > SWG Policies and do one of the following:
- Create a new SWG policy and select the security profile group.
- Edit an existing SWG policy and select the security profile group.
- For FortiClient agent-based remote users, go to Configuration > Policies and do one of the following:
For details on security profile groups and configuring them in policies, see Security profile groups.
The following tables list the vendor-specific headers that you must configure in the inline-CASB headers page:
Microsoft Office 365
Header name |
Header content |
Example header content |
Action |
Destination |
---|---|---|---|---|
Restrict-Access-To-Tenants |
Domains and tenant ID |
azure.domain.com, domain.com, d0cf12c3-456c-7e89-0d1e-03e456de78f9 |
Add to request |
Use the built-in Microsoft Office 365 address group. |
Restrict-Access-Context
|
Directory ID |
d1cf23c4-567c-8e90-1d2e-03e456de78f9 |
||
sec-Restrict-Tenant-Access-Policy |
restrict-msa |
restrict-msa |
Create a new custom address object for login.live.com |
The built-in Microsoft Office 365 address group includes:
- login.microsoftonline.com
- login.microsoft.com
- login.windows.net
For proper functioning of Microsoft Office 365 tenant restrictions, you must include the tenant ID in addition to the domains in a comma-separated list configured for |
Google Workspace
Header name |
Header content |
Example header content |
Action |
Destination |
---|---|---|---|---|
X-GoogApps-Allowed-Domains |
Domain |
mydomain1.com, mydomain2.com |
Add to request |
Use the built-in G Suite address group. |
The built-in G Suite address group includes:
- gmail.com
- wildcard.google.com (*.google.com)
Slack
Header name |
Header content |
Example header content |
Action |
Destination |
---|---|---|---|---|
X-Slack-Allowed-Workspaces-Requester |
Workspace or organization ID representing your Business+ or Enterprise Grid account |
xxxxxx |
Add to request | Create a new address object called wildcard.slack.com containing an FQDN of *.slack.com |
X-Slack-Allowed-Workspaces |
Organization IDs or workspace ID |
yyyyyy |
You must manually create a new address object called wildcard.slack.com containing the FQDN of *.slack.com via the Create button when in the Select Entries slide-in resulting from clicking the Destination in the Inline-CASB Header slide-in.
Due to vendors' changing requirements, these settings may no longer comply with the vendors' official guidelines. See the vendor documentation in SaaS vendor-specific headers.