What is Portnox Conditional Access for Applications and how does it work?
In this topic, you will learn what is the Portnox™ Conditional Access for Applications service and how it works.
The Portnox Conditional Access for Applications service provides secure single sign-on user access to web applications.
In a traditional single sign-on (SSO) access model, the user can access the web application from any device, as long as the user is authenticated. In a Conditional Access model, an extra security condition is added: only specific user devices may access the application, and only if these devices meet the security requirements defined by the administrator.
For example:
-
Traditional security model:
- The user authenticates with the single sign-on provider using their email address and a password (optionally with multi-factor authentication).
- The user can access the web application from any device.
-
The Conditional Access model:
- The user authenticates with the single sign-on provider using their email address and a password (optionally with multi-factor authentication).
- If the device does not have Portnox AgentP installed, the user cannot access the application.
- If the device does not have the Portnox security certificate installed by AgentP, the user cannot access the application.
- If the user has AgentP and the certificate, but AgentP discovers that certain conditions are not met, the
administrator may prevent the user from accessing the application. For example:
- If the device has an outdated version of the operating system
- If the device has no antivirus software installed
- If the user is currently located outside United States
- If the device is not configured to be managed by Intune
How does Conditional Access work?
If your application is integrated with Portnox Conditional Access, here is what happens when an example user tries to access the application.
From the user’s point of view, the process is almost identical to the one when the user logs in using single sign-on such as Azure or Google.
-
The user types the address of the web application in their browser to access it, just like they would without Conditional Access.
-
The user either clicks or taps on the button to log in using Conditional Access or simply enters their email address (this depends on the application).
-
The application automatically redirects the browser to Portnox Cloud, which checks if the user’s device has a Portnox Conditional Access security certificate. If the device is certified, Portnox Cloud redirects the browser to an identity provider such as Microsoft Entra ID (Azure Active Directory), Google Workspace, or other. The identity provider is configured in Portnox Cloud for the specific application.
-
The identity provider handles user authentication. For example, the user may enter their email address and password, provide multi-factor authentication using an authenticator app, or use any other authentication method supported by the identity provider. Once the user is authenticated, the identity provider redirects the browser back to Portnox Cloud.
-
Now that Portnox Cloud knows the application, knows that the device is certified, and knows the logged in user, it communicates with Portnox AgentP installed on the user’s device. It then checks the policies configured in Portnox Cloud for the application or for a specific group of users. These policies may include operating system versions, installed software, location, and more. Based on these policies, AgentP decides if the device is safe for application access or not, and sends that information to Portnox Cloud.
-
Portnox Cloud either redirects the user back to the application after a successful login, or informs the user that they cannot be logged in because their device is not safe. Optionally, Portnox Cloud can redirect the user to the company’s support pages, software download pages, or simply display a custom message configured by the administrator.
What do you need to be able to use Conditional Access?
To be able to use Portnox Conditional Access for Applications, you need to meet the following conditions.
-
You need to buy a Portnox Conditional Access for Applications license. Without a license, you can test Conditional Access for one application only.
-
You need to have a configured cloud-based authentication repository such as Microsoft Entra Id (Azure Active Directory) or Google Workspace. Portnox Cloud must work together with your authentication repository to know the users accessing your applications.
-
You need to have an identity provider that supports the Security Assertion Markup Language (SAML) protocol. Such identity providers are offered by most authentication repositories (including Entra ID and Google Workspace) but you can also use third-party identity providers that work together with your authentication repository.
-
You need to have an option to configure a SAML-based single sign-on (SSO) integration in your web application. Most enterprise applications have such capabilities. Here is a list of applications that we tested.
-
Your users need to have Portnox AgentP installed on all their devices, even their BYOD/personal devices. You can distribute AgentP using your endpoint management solutions such as Intune, or you can ask your users to install AgentP manually. If you want to ask your users to install AgentP manually, you can give them the following link: https://docs.portnox.com/caa/. This link contains end-user instructions for all popular desktop/mobile operating systems: Windows, macOS, iOS, and Android.
How is the integration with Conditional Access configured?
For Conditional Access to work, Portnox Cloud needs to be integrated with at least one identity provider and with at least one application.
Both integrations are very similar and do not involve any coding or any external components. Integration happens by exchanging a set of single sign-on (SSO) identifiers and URLs. To integrate with an identity provider or with an application, you simply have to copy some values from the configuration screen of one product and paste them into the right fields on a configuration screen of the other product.
Conditional Access supports a globally recognized mechanism for single sign-on integration: Security Assertion Markup Language (SAML). We are working on supporting other mechanisms such as OpenID.
Integrating with an identity provider
When you integrate Conditional Access with an identity provider, you must create a custom SAML app in the identity provider configuration, and then copy at least the following values from the Portnox Cloud configuration screen to a custom SAML app configuration screen:
- The Portnox Cloud identifier that it generated for the identity provider, so that Cloud can recognize and trust the communication
- The Portnox Cloud URL to which the identity provider is supposed to send the user after successfully authenticating them
You must also copy at least the following values from the identity provider’s custom SAML app configuration screen to the Portnox Cloud configuration screen:
- The identity provider’s URL to which Portnox Cloud is supposed to redirect users for authentication
- The identity provider’s identifier used in its single sign-on tokens
- The identity provider’s security certificate, so that Portnox Cloud can verify that it’s communicating with the identity provider and not an intruder
Integrating with a web application
When you integrate a web application with Conditional Access, you must copy at least the following values from the Portnox Cloud configuration screen to the application configuration screen:
- The Portnox Cloud identifier that the application is supposed to use during communication, so that Cloud can recognize and trust the incoming authentication requests
- The Portnox Cloud URL to which the application is supposed to redirect the user for authentication
- The Portnox Cloud security certificate, so that the application can verify that it’s communicating with Portnox and not an intruder
You must also copy at least the following values from the application configuration screen to the Portnox Cloud configuration screen:
- The application’s unique identifier, so that Portnox Cloud can identify it during communication
- The application’s URL to which Portnox Cloud is supposed to redirect the user after successfully authenticating them
What applications are supported by Conditional Access?
Conditional Access works with all applications that support SP-initiated SAML flow.
In the left-hand side menu, in the Application integration section, you can see a list of applications that we tested and confirmed to work with Conditional Access. This list will grow with more applications that we are able to test either internally or together with our customers.