Okta SAML Authentication with WatchGuard Access Portal Integration Guide

Deployment Overview

You can configure Single Sign-On to use SAML authentication and enable your users to log in through one portal and get access to multiple services.

This document describes how to set up SAML authentication through the WatchGuard Access Portal with Okta as the Identity Provider.

Integration Summary

Hardware and Service versions:

  • Okta Identity Cloud — Release 2017.49
  • WatchGuard FireboxV :
    • Fireware OS v12.1
    • Feature key with an Access Portal license

Test Topology

This integration uses Okta Identity Cloud services to communicate with a WatchGuard Firebox over a public internet connection.

Configure Your Firebox for Okta

The WatchGuard Access Portal is a subscription service and needs an active license applied in your Firebox feature key before you can configure it on your Firebox. These steps describe how to set up Okta.

From Fireware Web UI:

  1. Select Subscription Services > Access Portal.
  2. Select the Enable Access Portal check box.

  1. Click Save.
  2. Select the User Connection Settings tab. Click Configure.
    The SAML tab appears.
  3. To enable SAML, select the Enable SAML check box.
  4. In the Service Provider (SP) Settings section, type the IdP Name and Host Name.
    You add the IdP settings later in this process.
    • IdP Name — Specify a name for the SAML authentication to appear in other Firebox settings as the server name.
    • Host Name— Specify the fully qualified domain name that resolves to the Firebox external interface.

  1. Click Save.
  2. Go to https://<host name>/auth/saml.
  3. Make sure you have this information from the /auth/saml page:
    • SAML Entity ID in this format: https://&lt;host name&gt;/auth/saml.
    • Assertion Consumer Service (ACS) URL in this format: https://&lt;host name&gt;/auth/saml/acs.
    • Single Logout Service (SLS) URL in this format: https://&lt;host name&gt;/auth/saml/sls.
    • Download the certificate

Configure Okta

  1. Sign into your Okta account.
  2. From the top navigation bar, select Applications.
    The Applications page appears..


  1. Click Add Application.
  2. Click Create New App.
    The Create a New Application Integration dialog box appears. Because this application is unique to the Firebox, we must create a new application in Okta.


  1. From the Platform drop-down list, select Web.
  2. For the Sign on method, select SAML 2.0.


  1. Click Create.
    The General Settings dialog box appears.
  2. In the App name text box, type a descriptive name for the application.
  3. (Optional) Upload an App logo.
  4. In the App visibility section, select options to specify whether the application icon is visible to users or in the mobile app.

  1. Click Next.

 SAML Settings

  1. On the SAML Settings page, in the General section, configure these settings:

Single sign on URL

Type the URL in this format: https://&lt;host name&gt;/auth/saml/acs

The WatchGuard label is the Assertion Consumer Service (ACS) URL.

Audience URI (SP Entity ID)

Type the URI in this format: https://&lt;host name&gt;/auth/saml

The WatchGuard label is the SAML Entity ID.

Leave the Default RelayState blank.

Name ID format

Select x509SubjectName.

Application username

Select Email.

  1. Click Show Advanced Settings and specify these settings:

Response

Select Signed.

Assertion Signature

Select Signed.

Signature Algorithm

Select SHA256.

Assertion Encryption

Select Encrypted.

Encryption Algorithm

Select AES256-CBC.

Encryption Certificate

Click Browse and select the certificate you downloaded from the firewall SAML 2.0 Configuration for WatchGuard Access Portal in the previous section.

Enable Single Logout

Select the Allow application to initiate Single Logout check box.

Authentication context class

Select PasswordProtectedTransport.

Honor Force Authentication

Select Yes.

SAML issuer ID

Keep the default setting.

  1. At the right side of the SAML Settings dialog box, click Download Okta Certificate.

  1. Save the certificate. Click Next.
  2. In the Are you a customer or partner? section, select an option:
    • I'm an Okta customer adding an internal app — Most deployments are in this category.
    • I'm a software vendor. I'd like to integrate my app with Okta — Select this option if your company is deploying a service for general public use.

  1. Click Finish.

Next, configure the Sign On settings for the app you added in the previous section.

  1. Select the Sign On tab.
    SAML 2.0 is not configured.
  2. Below the View Setup Instructions button, copy the Identity Provider metadata link.
    The link is in this format: https://<okta account name>.okta.com/app/<random value>/sso/saml/metadata.


Complete the WatchGuard SAML Setup

From Fireware Web UI:

  1. Select Subscription Services > Access Portal.
  2. Select the User Connection Settings tab.
  3. Click Configure.
  4. Select the SAML tab.
  5. In the Identity Provider (IdP) Settings section, in the IdP Metadata URL text box, type the IdP Metadata URL from the Okta setup.

  1. Click Save.

Test the Integration

If you do not already have a user account or a group set up, you can follow these steps to test the authentication.

Okta User and Group

  1. Login as the Okta Administrator.
  2. From the top navigation bar, select Directory > Groups.
  3. Click Add Group.

  1. Specify a name and a description for this group. Click Save.
  2. From the top navigation bar, select Directory > People.
  3. Click Add Person.
    The Add Person dialog box appears.
  4. Type the First name, Last name, Username (this is an email ID), and Primary email. Secondary email and Groups are optional.

  1. Click Save

Add the Group to the Firebox

From Fireware Web UI:

  1. Select Authentication > Users and Groups. Click Add.
    The Add User or Group dialog box appears.
  2. Type the Name and Description for this group.
  3. From the Authentication Server drop-down list, select the SAML authentication server.

  1. Click OK.
    The Users and Groups page appears.
  2. Click Save.
  3. Select Subscription Services > Access Portal.
    The Access Portal page appears with the Applications tab selected.
  4. Click Add and select Host Desktop Access (RDP).
    The RDP Host page appears.

  1. On the Access Portal page, select the User Connection Settings tab.
  2. Select Specify the applications available to each user and group. Click Add.
    The Add User or Group page appears.
  3. From the Authentication Server drop-down list, select the name of the SAML configuration.
  4. From the Type drop-down list, select Group.
  5. In the Name text box, type the name you specified for the group in the previous section.

  1. Click OK.
  2. Click Save.

After you have completed these configurations steps, your users can sign in either to Okta Identity Cloud, or to a resource that is configured with Okta SAML Single Sign-On.

  1. Type the URL for the portal in this format: https://<host name>.
    The Log In page appears with the name of the SAML portal you configured at the top of the page.


  1. To log in, click the name of the SAML portal.
    In this example, click MY_OKTA_NAME.
    The user can now get access to the resource.