Azure AD with CTSP

ColorTokens ZTNA is an Azure gallery app available on the Azure Marketplace. Integrating the ColorTokens ZTNA app with your Azure AD tenant and federating between the Azure AD and Xshield tenants can provide you the following benefits:

ZTNA with SAML-based SSO to Xshield-protected apps - a successful integration of ColorTokens ZTNA Azure app with Xshield ensures Zero Trust network access to and from endpoint assets after Xshield policies are enforced. Also, Xshield-protected apps can be SSOed to using SAML without needing to enter the login credentials multiple times.
Improved secure network access to Xshield-protected apps - use Azure AD authentication features such as Multi-factor authentication (MFA), Conditional Access, and Session Control, in addition to enforcing Xshield policies on endpoint assets.

Pre-requisites

An Azure AD subscription or an on-premises Active Directory setup with Azure AD Connect installed and on-premises users and user groups synchronized with Azure AD.
Xshield agents (type = User Authorization) installed on the assets that the Azure AD tenant's users will use.
Read Install Xshield agent for more on installing Xshield agents on assets.
Decide on the users and/or user groups in the Azure AD tenant who must be able to SSO with Xshield-protected apps.

Limitations

Using the ColorTokens ZTNA app for SSO is an Xshield tenant to Azure AD tenant mapping. This works only for a unique combination of Xshield and Azure AD tenants.
For Xshield deployments that have been in use for a few releases, if SAML-based authentication with Azure AD is already configured, you must overwrite the existing federation data with the federation data of the ColorTokens ZTNA app.

Procedure

Download the federation metadata of the Xshield tenant

The federation metadata for Xshield is an XML file. You will need to feed this metadata to configure ColorTokens ZTNA integration on Azure AD.

Go to Settings > Configure > Onboard Users on Xshield.
Click the Add IdP option.
Select Others > Others SAML.
Click Export CT Metadata and download the XML file.

Add ColorTokens ZTNA app to your Azure AD tenant from Microsoft Azure Marketplace

Add the ColorTokens ZTNA app to your Azure AD tenant to enable SAML-based SSO to Xshield-protected apps.

Although you can manually specify the URLs, user attributes and claims, and other properties for the ZTNA app, we strongly recommend you use the federation XML file from Xshield to auto-populate these properties on Azure AD.

Log into your Azure AD tenant.
Go to Enterprise Applications in the left navigation pane.
Type ColorTokens ZTNA in the search box, and the ZTNA app appears below.
Click the ColorTokens ZTNA app.
On the ColorTokens ZTNA | Overview page, click the Set up single sign on tile.
On the ColorTokens ZTNA | Single sign-on page, click the SAML tile.
On the ColorTokens ZTNA | SAML-based Sign-on page, click Upload metadata file and upload the Xshield tenant's federation XML file.
This populates all the properties required for SAML for the ZTNA app, from Xshield's federation XML file, with the exception of the Identifier, Reply URL and Sign on URL fields.
Do the following to add the SAML properties:
- Click the Edit icon in the Basic SAML Configuration listing.
- Construct the Identifier (Entity ID) based on the URL and the name of your Xshield tenant, in the following format:
  
  URL OF THE TENANT/NAME OF THE TENANT
  
  For example, if the a tenant URL is https://qasaml-stage1.spectrum.colortokensecurecloud.com and the name of the tenant is qasaml, the Identifier is
  
  https://qasaml-stage1.spectrum.colortokensecurecloud.com/qasaml/.
  
  See the Settings > Agents & Downloads > Agent Download page on Xshield for the URL and the name of the tenant.
- Construct the Reply URL (Assertion Customer Service URL) based on the URL and the name of your Xshield tenant, in the following format:
  
  URL OF THE TENANT/api/v1/NAME OF THE TENANT/saml/assertion
  
  For example, if the tenant URL is https://qasaml-stage1.spectrum.colortokensecurecloud.com and the name of the tenant is qasaml, the Reply URL will be
  
  https://qasaml-stage1.spectrum.colortokensecurecloud.com/api/v1/qasaml/saml/assertion.
- Construct the Sign on URL based on the URL and the name of your Xshield tenant, in the following format:
  
  <URL OF THE TENANT>/colormaster/api/v1/<NAME OF THE TENANT/saml/login
  
  For example, if the a tenant URL is https://qasaml-stage1.spectrum.colortokensecurecloud.com and the name of the tenant is qasaml, the Sign on URL will be
  
  https://qasaml-stage1.spectrum.colortokensecurecloud.com/colormaster/api/v1/qasaml/saml/login.
  Do the following to add a group claim:
- Click the Edit icon in the User Attributes & Claims listing.
- Click Add a group claim.
- In the Group Claims fly panel, select All groups and select sAMAccountName as the source attribute.
- Under Advanced options, add a name for the group in the Name field. For example, Azure AD groups.
  
  You must later map this group to the CT group attribute on the Xshield UI, to be able to obtain Azure AD groups data on Xshield.
Click Save.

Although it is a common practice to test the Single Sign on configuration when a SSO app is integrated with Azure AD, in this case the ColorTokens endpoint app authenticates users and not the Web browser.

So, if you test the configuration at this point, you will see an error. Continue the end-to-end configuration. You will be able to test the configuration when you have completed all the steps listed in this topic.

See Verify federation with the ColorTokens ZTNA app and Xshield at the end of this topic to test and verify the end-to-end configuration.
Click Download next to Federation Metadata XML to download the federation metadata file from Azure AD.

The name of the file is 'ColorTokens ZTNA.xml'.

Add Azure AD users and/or groups who can SSO with Xshield-protected apps

Only users and/or groups you select here will be able to SSO with Xshield-protected apps. It is important that you maintain meaningful and intuitive groups on Azure AD. By mapping the groups on Azure AD with Endpoint groups on Xshield, you can enforce Xshield policies on Endpoint groups efficiently.

Click User and groups in the left navigation pane on Azure AD.
Search and add users and/or groups which should be able to SSO with the ColorTokens endpoint app on endpoint assets.

Upload ColorTokens ZTNA app's federation data to the Xshield tenant

This creates a trust relationship between Azure AD/ColorTokens ZTNA app, and Xshield.

Go to Settings > Configure > Onboard Users on Xshield.
Click the Azure AD SSO option.
Click Browse under Upload XML and navigate to the ColorTokens ZTNA metadata XML file.

This populates the Azure AD tenant's URL and the details of the certificate.
Map the Azure AD's user attributes with the user attributes on Xshield.
Add and click Save.

Xshield	Azure AD
First Name	givenname
Last Name	surname
Group	Azure AD groups (the name of the manually added group claim)
Department	department

Download and install Xshield agents on endpoint assets

This is needed to bring the endpoint assets under active management from Xshield and to enforce ZTNA with Xshield policies on them.

Download Xshield agents (Agent Type = User Authorization) for Windows and macOS endpoint assets, from the Settings > Agent & Downloads > Agent Download page on Xshield.

Read Install the agent one-at-a-time and Install the agents at scale to see how to install the agent.

Verify federation with the ColorTokens ZTNA app and Xshield

If the federation between the Azure AD/ColorTokens ZTNA Azure app and Xshield is successful:

You must see the 'Groups and 'Departments' attributes from Azure AD synchronized with Xshield, on the Assets & Groups > Users, Groups & Departments page.
You will see the endpoint users/assets (selected to use SSO with ColorTokens ZTNA app) on the Assets & Groups > Users, Groups & Departments page, when they successfully log in from the ColorTokens endpoint app on the assets, by using the Microsoft credentials.

Next steps

Group endpoint assets by their access requirements. Create Endpoint groups by the groups and/or departments synchronized from Azure AD.
For example, 'HR' and 'Customer relationship' Endpoint groups with users from the respective Azure AD groups and departments.
Read Endpoint groups for more details.
Create and enforce Access policies between Endpoint groups and Workload groups (that host the apps to which SSO is needed).
For example, Access policies between 'HR' Endpoint group and 'Web' role workloads in the HRM Workload group, and Access policies between 'Customer relationship' Endpoint group and the 'Web' role workloads in the CRM Workload group.
Enforce Xshield policies between these Endpoint groups and other HR and Customer relationship related apps to enjoy true SSO access.
Read Access policies for more details.