with ping mirror gateway for g suite tech note--configuring

Tech Note--Configuring Mirror Gateway for G Suite with Ping

Symantec CloudSOC Tech Note


Copyright statement Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

Copyright © 2020 Symantec Corp. 2

http://www.broadcom.com/

http://www.broadcom.com/


Table of Contents

Introduction

Prerequisites

Gather metadata in CloudSOC Store

Configure Mirror Gateway in Ping

Create a custom SAML app in Ping

Federate Mirror Gateway with G Suite

Configure IdP metadata in CloudSOC

Mirror Gateway Hybrid Mode

Revision history



Introduction

This Tech Note describes how to configure the G Suite Gatelet Mirror Gateway features using Ping as an Identity Provider (IdP).

Mirror Gateway forwards all traffic tracked by the CloudSOC G Suite Gatelet to the CloudSOC Gateway for monitoring, even traffic originating from devices that do not have either Reach agent or the CloudSOC PAC file installed.

Prerequisites

You must already have configured:

● Ping as your IdP

● A G Suite account for administrator access

Gather metadata in CloudSOC Store

1. In CloudSOC, select Store .

2. In the Gatelets area of the Store page, click See all .

3. Hover over the G Suite tile and select Activate with Mirror Gateway .



4. From the Configure SAML Federation box, copy the following URLs and paste them into a text document:

● SSO Post URL

● Issuer URL (Entity ID)

5. Click Download Certificate and save the resulting certificate to a temporary location. You will use this certificate as the Verification certificate in a later procedure.

6. Click Cancel and continue with the procedures in Configure Mirror Gateway in Ping .

Configure Mirror Gateway in Ping

Perform the steps in the following sections after you gather the necessary metadata from the CloudSOC Store.

Create a custom SAML app in Ping

1. In Ping, navigate to Applications , then select SAML , then click New SAML Application .



2. Configure the following Application Details as shown in the following and continue with Continue to Next Step .

Application Name Any convenient name, such as "G Suite RP"

Application Description Any convenient description

Category Other

Graphics Leave Blank

3. Configure the following SAML settings in the Application Configuration , as shown

in the following. Leave all other settings in their default states:



Assertion Consumer Service (ACS)

Paste the SSO Post URL you got from the CloudSOC Activate Mirror Gateway box.



Entity ID Paste the Issuer URL (Entity ID) you got from the CloudSOC Activate Mirror Gateway box.

Single Logout Endpoint

https://app.elastica.net/saml2/ls/

4. Click Continue to Next Step .

5. In the SSO Attribute Mapping area, add the following statement, as shown in the following:

Application Attribute

Identity Bridge Attribute or Literal Value

gsuite-nameID Email

User.email Email

6. Click Continue to Next Step .

7. In the Group Access step, add the groups that are authorized to use the Mirror Gateway.



8. On the Review Setup page, click Download to obtain the SAML Metadata file.

9. Click Finish .



Federate Mirror Gateway with G Suite

1. Log in to the Google admin account console at https://admin.google.com

2. Select Security - Settings and then select Set up single sign-on (SSO)

3. Select Setup SSO with third party identity provider . Enter the Sign-in URL that you copied from CloudSOC in the section Gather metadata in CloudSOC Store .

Use the following URL as Sign-out URL (SSO is not supported by GSuite):


https://admin.google.com/


4. Upload the certificate that you downloaded from CloudSOC in the section Gather metadata in CloudSOC Store as the Verification certificate.

Note: If the certificate from CloudSOC shows an error during the Save procedure, you can convert the certificate to a different format using OpenSSL. < openssl x509 -outform der -in certificate.pem -out certificate.der>

5. Save the changes.

Configure IdP metadata in CloudSOC

1. In CloudSOC, return to Store , then select Gatelets , and then select G Suite .

2. Hover over the G Suite tile and select Activate with Mirror Gateway .



3. Click Next: Provide SSO Provider Metadata .

4. In the Metadata from your SSO Provider area, click Metadata URL .

5. Paste the SAML Metadata file you copied from Ping in the section Create a custom SAML App in Ping .

6. Click Complete Activation .

7. Wait a few minutes, then check the G Suite Gatelet tile in the CloudSOC Store to make sure Mirror Gateway is enabled.

Mirror Gateway Hybrid Mode

If you have the Mirror Gateway activated and the Reach agent is enabled in Mirror Gateway Hybrid Mode , the Reach agent will continue to work in Hybrid Mode. If you disable Hybrid Mode, the Mirror Gateway is activated as soon as you log out of your Saas application and log back in.



Revision history

Date Version Description

22 January 2020 1.0 Initial release


with ping mirror gateway for g suite tech note--configuring

Documents