How to restrict access to Google Apps & Services using miniOrange CASB

Restricting access to Google apps and services helps protect sensitive business information, maintain data privacy, and prevent unauthorized users from accessing your digital workspace. In this guide, we’ll show you the step-by-step process to implement a miniOrange CASB to restrict access to your favorite Google apps and services.

Step 1: Sign up with miniOrange CASB

Click here to log into your miniOrange account.

(Don’t have an account? No worries, click here to create a new account)

Step 2: Selecting Google Apps & Services

After logging in, you should be taken to the miniOrange dashboard page. Locate the "Google" tab and select the "Add App" option to select the apps & services you want to restrict.

Google CASB Access Restriction authentication method dashboard

Select the Add Authentication Source option from the drop-down menu.

Google CASB Access Restriction Add authentication

Mention an Authentication name for the authentication source, and click on Generate Metadata.

Google CASB Authentication Generate Metadata

After clicking on Generate Metadata, you will get the metadata details, as shown in the image below. Use this data to configure the SAML application in your Identity Provider (IDP).

Google CASB Access Restriction Generate Metadata SAML Flow

If you would like to view the metadata details again, then you can click on the Show Metadata button.
Now, Enter the remaining details like the IDP Entity ID, SAML Login URL, SAML Logout URL, and X509 Certificate which you will find in your Identity Provider metadata. Once done, Choose the Binding Type for SSO Request as required. You will find this information in the IDP metadata. However, if you are not sure, please select the HTTP-Redirect Binding as the default configuration.

Google CASB Access Restriction SP metadata IDP Details

Click the Save & Next button once you have filled out all the details.
You have now successfully configured SAML Authentication with miniOrange CASB.

Step 3: Configuring SAML SSO in Google Admin Console

Go to your miniOrange CASB dashboard and then go to Basic Settings section.
Fill in the following details to configure the Google Application:

Organization Name: Enter the name of your organization.
Organization Domain: Enter the domain of your organization on Google. (Ex: example.com)
Attribute Key: Enter the Group Attribute Key for the SSO app, which you have configured in the IDP under the SAML attributes section.
Google ACS URL: You can get the Google ACS URL from the Google admin panel. Or else it would be https://www.google.com/(Organization-Domain)/acs
Google Entity URL: You can get the Google ACS URL from the Google admin panel. Or else it would be https://www.google.com/
Click on Save & Next to save your changes.

You can check your IDP Metadata that is updated in the Google admin console by clicking on the Get Configuration option next to Previous.

Google CASB Get Configuration Authentication

Google Access Restriction IDP Metadata Details

Now, Login to your Google Admin Dashboard.

On the left side, below the menu icon (☰), click on Home () ⤏ Security () ⤏ Authentication ⤏ SSO with third-party IDP.

Click on the Edit Button highlighted in the red box in the image below.

After clicking on the edit icon, a menu will be displayed, as shown below.

Select the checkbox “Set up SSO with third-party identity provider”.
Fill in the details on the Sign-in page URL (i.e., the Sign-in page URL is the SAML login URL that you have in the IDP metadata).
Next, Enter the Sign-out page URL as mentioned https://login.xecurify.com/moas/logout?redirectUrl=https://mail.google.com
Now, click on the “REPLACE CERTIFICATE” button, which will open a window to upload the certificate. Upload the X.509 Certificate that you have in the IDP metadata.
Once done with these steps, click on the save button to update the configuration.
You have successfully created the SAML SSO with Third Party IDPs!

Step 4: Configuring Policies

Let’s see how to configure policies for Google CASB.

Go to miniOrange CASB Dashboard > Manage Policy. Enter your policy details, like Policy Name and Policy Description.
Select the “Enable IP Restriction” check box as shown in the image below.

Google CASB policies enable IP Restriction

Follow these steps to configure IP Restriction policy:

1) Select the Allow or Deny option to either permit or restrict certain IP addresses.

2) Click on the Add IP Address icon to create a new field where you can add the IP addresses you want to regulate.

3) Click on the Save & Next button to submit the policy.

Google CASB policies configure ip policy allow deny

Click on the "Enable Time Restriction" checkbox and enter the Policy Name and Policy Description as shown below in the image.

Google CASB policies Enable Time Restriction

Follow these steps to configure Time Restriction policy:

1) Select Allow or Deny to permit or restrict user access during the selected time slot.

2) Select the user's time zone.

3) Select the start and end times for the time-based restriction.

4) Click on the Save & Next button to submit the policy.

Google CASB policies configure time policy allow deny

Click on the "Enable Prevent Download" checkbox as shown below in the image.
Click on the Save & Next button to save the policy.

Google CASB policies Enable Prevent Download

Step 5: Configuring Groups

Let’s see how to configure Groups for Google CASB.

In the Manage Group section, enter the Group Name and Group Description (It should be the same as the name of the group that you have configured in the IDP). Select the Group Policy from the drop-down menu.

Google CASB Groups submit app restriction group

Now, let’s give permissions for applications for the group:

a) No App Restriction for Group: In this, there will be no restrictions on the application for the group.

b) App Restriction for Group: In this, the restrictions will be applied over the application based on the policy that you have configured for the group.

c) Disable App for Group: By choosing this option, the application becomes inaccessible from anywhere for the entire group.

d) Custom App Restriction for Group: By using this, you can apply an application-specific custom application restriction policy to an application that overpowers the group's restriction policy.

After successfully configuring all screens, you will be redirected to the edit screen.

Step 6: Edit Screen

Basic Settings You can change any configurations if required in the Authentication.
Suppose you want to configure different authentication sources. In that case, you can simply click on the Authentication Source in the Navigation Bar, where you will be able to add, view & edit authentication sources.

Google CASB Basic Settings change any configuration

Group Settings You can add and configure groups on this screen and view all configured groups. Now, Click on Add New Group.

Google CASB Group Settings all configured groups

You will get a pop-up for adding a new group and you can configure it using the above mentioned steps.

Google CASB pop-up new groups restrictions

If you need to create a new policy for a group, you can navigate to the policy screen and add, edit, and delete policies there.

Not able to configure or test Google Workspace CASB?
For this, you need to Contact us or email us at proxysupport@xecurify.com and we'll help you setting it up in no time.

External References

miniOrange CASB offers a wide variety of security features with flexible scalability, all available at the most affordable price to all types of businesses. Start by signing up now!

Contents