Service Extensions with SSL Orchestrator: SaaS Tenant Isolation

Introduction
What is SaaS Tenant Isolation?
Demo Video
Deployment Prerequisites
SaaS Tenant Isolation Service Extension Installation
YouTube Tenant Restrictions
Move the SaaS Tenant Isolation Service to a Service Chain
Test YouTube Tenant Restrictions
Microsoft (Office) 365 Tenant Restrictions
Testing Header Injection
Conclusion
Related Content

Introduction

F5 BIG-IP SSL Orchestrator is a great solution for managing SaaS Tenant Isolation. It gives you granular control over access to external SaaS applications. Microsoft Office365, Webex, Dropbox, GitHub, and many other SaaS applications are supported.

Service Extensions are a new programmable capability in the SSL Orchestrator Service Chain (as of BIG-IP 17.0) that allow for customizable behaviors on decrypted HTTP traffic directly from within the Service Chain.

In this article you will learn how to download, install, and configure the policy that enables the “SaaS Tenant Isolation” Service Extension.

What is SaaS Tenant Isolation?

SaaS Tenant Isolation is a function for managing tenant isolation (aka. restrictions) for several SaaS applications in a corporate environment. Tenant Isolation is a way for corporate entities to control access to non-corporate SaaS endpoints, typically to defend against misuse and sensitive data exfiltration. For example, an enterprise user may have Office365 accounts from multiple organizations. Tenant isolation prevents that user from copying data from their company’s Sharepoint to an Office365 endpoint in another organization. This service extension enhances the SSL Orchestrator built-in Office365 Tenant Restrictions service, providing for additional SaaS property controls:

Office365 Tenant Restrictions v1 (for reference)
Office365 Tenant Restrictions v2 (for reference)
Webex (for reference)
Google Gsuite (for reference1,reference2,reference3,reference4)
Dropbox (for reference)
YouTube (for reference)
Slack (for reference)
Zoom
GitHub (for reference)
ChatGPT (for reference)

Note: the “for reference” links contain more information from each provider about how SaaS Tenant Isolation works

Demo Video

Deployment Prerequisites

F5 BIG-IP version 17.1.x
SSL Orchestrator version 11.1+

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

SaaS Tenant Isolation Service Extension Installation

The information below is from the GitHub repository for the SaaS Tenant Isolation Service Extension (click here for a direct link). It includes an installer to create all the necessary objects.

Download the installer:

curl -sk https://raw.githubusercontent.com/f5devcentral/sslo-service-extensions/refs/heads/main/saas-tenant-isolation/saas-tenant-isolation-installer.sh -o saas-tenant-isolation-installer.sh

CLI output:

Make the script executable:

chmod +x saas-tenant-isolation-installer.sh

CLI output:

Export the BIG-IP username and password:

export BIGUSER='admin:password'

Note: replace “password” with your actual BIG-IP admin password

CLI output:

Run the script to create all the SaaS Tenant Isolation objects:

./saas-tenant-isolation-installer.sh

CLI output:

The installer creates a new Inspection Service named "ssloS_F5_SaaS-Tenant-Isolation". Add this Inspection Service to any Service Chain that can receive decrypted HTTP traffic. Service Extension Services will only trigger on decrypted HTTP, so can be inserted into Service Chains that may also see TLS bypass traffic (not decrypted). SSL Orchestrator will simply bypass this Service for anything that is not decrypted HTTP.

After following the steps above, the SSL Orchestrator screen should look like this:

YouTube Tenant Restrictions

To configure YouTube Tenant Restrictions, you will need to edit the iRule named “saas-tenant-rule”

Navigate to Local Traffic > iRules > iRule List

Click on the iRule named “saas-tenant-rule” (you may need to expand the iRule List)

To enable the policy, set the value for “USE_YOUTUBE” from 0 to 1. Click Update.

YouTube Tenant Restrictions can be set to either “Moderate” or “Strict”.

Move the SaaS Tenant Isolation Service to a Service Chain

Go to the SSL Orchestrator Configuration screen

Click Service Chains then select your Service Chain

Select the F5_SaaS_Tenant-Isolation Service and click the arrow to move it to the right

Click Deploy

Click OK

The configuration is now complete

Test YouTube Tenant Restrictions

From a client computer, access youtube.com. An attempt to search for “adult content” results in the following:

Microsoft (Office) 365 Tenant Restrictions

The “saas-tenant-rule” has a set of editable configuration options for Office 365.

For example:

USE_OFFICE365_V1:
Enables or disables tenant control for this SaaS endpoint.
SAAS_OFFICE365_V1_HEADERS:
Defines the header(s) to be be injected for this SaaS endpoint. Each line in the list consists of two values:

Header Name: (ex. Restrict-Access-To-Tenants)
Header Value: Typically and organization ID. The Ref: field in the comment block points to a resource that explains how this field must be populated.

To customize the functionality navigate to Local Traffic > iRules > iRule List