Introduction
In today’s hybrid work environments, enterprises need to ensure that access to business-critical SaaS applications like Salesforce is restricted to only secure, managed, and compliant endpoints. This technical asset outlines a modern zero-trust access strategy using IBM MaaS360 and IBM Security Verify SaaS, where Salesforce access is allowed only from MaaS360-compliant devices.
By leveraging identity-aware and device-aware access controls, organizations can significantly reduce their attack surface and prevent data leakage from unmanaged or vulnerable devices.
Problem Statement
Organizations face a growing challenge in managing access to SaaS platforms like Salesforce across diverse devices and networks. Even with SSO and MFA, users on unmanaged or non-compliant devices can still gain access, posing a security risk.
This use case solves the problem:
> Salesforce must only be accessible from IBM MaaS360-managed and compliant devices.
Prerequisites
Before you begin, ensure the following are available and configured:
- IBM MaaS360 Enterprise account with Windows MDM policies configured.
- IBM Security Verify SaaS subscription and admin access.
- Salesforce Enterprise Edition with SAML SSO support.
- IBM MaaS360 and IBM Verify integration enabled under Setup > Identity and Access Management.
- MaaS360 Authenticator installed on target devices.
- Devices enrolled and marked as compliant in MaaS360.
- Access to add identity providers and applications in IBM Verify.
- User accounts must be present in both:
- IBM Security Verify Directory (Cloud Directory or synced provider)
- Salesforce tenant, with the correct Federation ID matching the SAML NameID format.
Procedure
Step 1: Enable IBM Security Verify Integration in MaaS360
Go to Setup > Identity and Access Management in MaaS360.
Enable IBM Security Verify and Identity and Access for Desktops and Laptops.
Confirm your Verify subscription hostname.
Step 2: Access IBM Security Verify Admin Console
Login to the Verify portal and ensure options to add applications, users, and policies are available.
Confirm that Salesforce appears under Connected Applications.
Step 3: Add MaaS360 as an Identity Provider
Navigate to Authentication > Identity Providers.
Add a provider named 'MaaS360VerifyIDProvider' and ensure it's enabled.
Step 4: Register Salesforce as a SAML Application
Add Salesforce as a SAML application under Applications.
Provide your Salesforce “My Domain” hostname and ACS URL.
Under Sign-On > Access Policies, enforce:
- Only enterprise identity providers.
- Allow access only from compliant devices.
Step 5: Configure Conditional Access in MaaS360
Navigate to Security > Policies > Windows MDM Policy.
Under SSO Conditional Access, enable Single Sign On Conditional Access.
Apply the policy to your enrolled test device.
Step 6: Test Access Based on Device Compliance Status
From a compliant device: Login to Salesforce via MaaS360 + Verify and confirm successful access.
From a non-compliant device: Attempt login and observe the CSIAC5137E error denying access.
Step 7: Ensure Correct SAML Attribute Mapping for User Authentication
To complete the setup, ensure that user identity attributes are aligned between IBM Security Verify and Salesforce:
- In Salesforce, set the 'Federation ID' field to match the NameID passed in the SAML assertion.
- In IBM Security Verify, under the Salesforce application's Sign-on tab:
- Enable 'Send all known user attributes in the SAML assertion'.
- Set NameID format to Email or userName to match the Federation ID in Salesforce.
- Example Attribute Mapping:
- NameID → Email
- email → EmailAddress
- firstName → Given Name
- lastName → Family Name
Ensure exact matching of user identifiers across both systems.
Challenges
- Device enrollment delays or misconfiguration in MaaS360 may prevent Verify from correctly evaluating compliance.
- SAML metadata mismatches can cause login failures if Salesforce ACS or Entity ID is incorrect.
- If multiple identity providers are misconfigured, access policy enforcement may be bypassed.
Benefits
- Ensures Salesforce data is accessible only from trusted and secure endpoints.
- Combines identity-based and device-based access control into a seamless zero-trust model.
- Enhances compliance posture and helps meet regulatory requirements (e.g., GDPR, HIPAA).
- Improves IT visibility and control without compromising user experience via SSO.
Summary
This integration demonstrates how IBM MaaS360 and IBM Security Verify can jointly enforce device-compliant conditional access to SaaS applications. By combining MDM-managed device posture with cloud-based identity verification, enterprises can confidently secure high-value applications like Salesforce.
This approach supports a broader Zero Trust strategy and can be extended to other apps integrated via SAML or OIDC.