Okta SAML Authentication with WatchGuard Access Portal Integration Guide

Deployment Overview

You can configure Single Sign-On to use SAML authentication and enable your users to log in through one portal and get access to multiple services.

This document describes how to set up SAML authentication through the WatchGuard Access Portal with Okta as the Identity Provider.

Integration Summary

Hardware and Service versions:

  • Okta
  • WatchGuard Firebox M400:
    • Fireware OS v12.7.2
    • Feature key with an Access Portal license

Test Topology

This integration uses Okta Identity Cloud services to communicate with a WatchGuard Firebox over a public Internet connection.

Configure Your Firebox for Okta

The WatchGuard Access Portal is a subscription service. Before you can configure Access Portal on your Firebox, you must have an active Total Security Suite license in your Firebox feature key.

To configure the Access Portal settings on your Firebox for Okta:

  1. Log in to Fireware Web UI.
  2. Select Subscription Services > Access Portal.
  3. Select the Enable Access Portal check box.

Screenshot of Firebox, picture1

  1. Select the SAML tab.
    The SAML tab appears.
  2. Select the Enable SAML check box.
  3. In the Service Provider (SP) Settings section, type the IdP Name and Host Name.
    You add the IdP settings later in this process.
    • IdP Name — Specify a name for the SAML authentication to appear in other Firebox settings as the server name.
    • Host Name — Specify the fully qualified domain name that resolves to the Firebox external interface.

Screenshot of Firebox, picture2

  1. Click Save.
  2. Go to https://<host name>/auth/saml.
  3. Make sure you have this information from the /auth/saml page:
    • SAML Entity ID in this format: https://<host name>/auth/saml
    • Assertion Consumer Service (ACS) URL in this format: https://<host name>/auth/saml/acs
    • Single Logout Service (SLS) URL in this format: https://<host name>/auth/saml/sls
  4. Download the certificate.

Screenshot of Firebox, picture3

Configure Okta

Add an Okta Group and User

  1. Log in to the Okta Admin Console.
  2. Select Directory > Groups > Add Group.
  3. In the Name text box, type a group name.

Screenshot of Okta, picture1

  1. Click Add Group.
  2. To add a user in Okta, select Directory > People > Add Person.
    You can add your own user information.

Screenshot of Okta, picture2

  1. Click Save.

You can import users and groups from Active Directory to Okta. For more information, see the Okta documentation.

Configure SAML 2.0 Application

  1. Select Applications > Applications.
  2. Click Create App Integration.
    The Create New App Integration page opens.

Screenshot of Okta, picture3

  1. On the Create a New App Integration page, select SAML 2.0. Click Next.

Screenshot of Okta, picture4

  1. In the App Name text box, type a name.
  2. (Optional) To upload a logo, use App Logo. Click the Upload icon, then select an image to upload.

Screenshot of Okta, picture5

  1. Click Next.
  2. On the SAML Settings page, in the General section, configure these settings:

Single Sign On URL

Type the URL in this format: https://<host name>/auth/saml/acs

The WatchGuard label is the Assertion Consumer Service (ACS) URL.

Audience URI (SP Entity ID)

Type the URI in this format: https://<host name>/auth/saml

The WatchGuard label is the SAML Entity ID.

Leave the Default RelayState blank.

Name ID Format

Select Unspecified.

Application Username

Select Email.

Screenshot of Okta, picture6

  1. Click Show Advanced Settings, and specify these settings:

Response

Select Signed.

Assertion Signature

Select Signed.

Signature Algorithm

Select RSA-SHA256.

Digest Algorithm

Select SHA256.

Assertion Encryption

Select Encrypted.

Encryption Algorithm

Select AES256-CBC.

Key Transport Algorithm

Select RSA-OAEP.

Encryption Certificate

Click Browse Files and select the certificate you downloaded from the WatchGuard SAML 2.0 Configuration for WatchGuard Access Portal in the previous section.

Screenshot of Okta, picture7

  1. Keep the default value for other settings.
  2. In the Group Attribute Statements (optional) section, in the Name text box, type memberOf. This example uses group authentication. If you want to use user authentication, skip steps 10 through 12.
  3. From the Filter drop-down list, select Equals.
  4. In the adjacent text box, type the Okta group name you created.

Screenshot of Okta, picture8

  1. Click Next.
  2. In the Are you a customer or partner? section, select an option:
    • I'm an Okta customer adding an internal app — Most deployments are in this category.
    • I'm a software vendor. I'd like to integrate my app with Okta — Select this option if your company is deploying a service for general public use.

Screenshot of Okta, picture9

  1. Click Finish.
  2. Select the Sign On tab.
  3. Below the View Setup Instructions button, copy the Identity Provider Metadata link.
    The link is in this format: https://<okta account name>.okta.com/app/<random value>/sso/saml/metadata

Screenshot of Okta, picture10

  1. Select the Assignments tab.
  2. Select Assign > Assign to Groups.
    If you select Assign to People, the user must belong to the group you configured in the Group Attribute Statements section.
  3. Select the group and click Assign.
  4. Click Done.

Screenshot of Okta, picture11

Complete the WatchGuard SAML Setup

From Fireware Web UI:

  1. Select Subscription Services > Access Portal.
  2. Select the SAML tab.
  3. In the Identity Provider (IdP) Settings section, in the IdP Metadata URL text box, type or paste the IdP Metadata URL you copied from Okta in the previous section.

Screenshot of Firebox, picture4

  1. Click Save.
  2. Select Authentication > Users and Groups.
  3. Click Add.
    The Add User or Group page opens. You can add a user or a group. The example on this page adds a group. If you add a user, the name of the user must match the name of the Okta user.
  4. For Type, select Group.
  5. In the Name text box, type a name for the group. The group name must be the same as the group name of memberOf on Okta.
  6. From the Authentication Server drop-down list, select the authentication server where the user or group exists.

Screenshot of Firebox, picture5

  1. Click OK.
  2. Click Save.
  3. To add an application to the Access Portal, select Subscription Services > Access Portal.
  4. In the Applications section, click Add. In this example, select the Web Application.
  5. In the Name text box, type a descriptive name.
  6. In the URL text box, type the URL address.
  7. Click OK.
  8. Click Save.
  9. Select the User Connection Settings tab.
  10. (Optional) To give all users and groups permission to connect to all applications, in the User Access section, select All applications are available to all users and groups authenticated with the Access Portal.
  11. To specify which users and groups can access which applications, select Specify the applications available to each user and group.
  12. Click Add.
  13. From the Authentication Server drop-down list, select the authentication server.
  14. From the Type drop-down list, select Group.
  15. In the Name text box, type the group name. The group name must be the same as the group name of memberOf on Okta.
  16. Select the applications that are available to this group.

Screenshot of Firebox, picture6

  1. Click OK.
  2. Click Save.

Test the Integration

After you have completed these configuration steps, users in the group you added can sign in to either the Okta account or to a resource configured with Okta SAML Single Sign-On.

  1. Type the URL for the portal in this format: https://<host name>.
    The login page opens with the name of the SAML portal you configured previously.

Screenshot of Web authentication

  1. To log in, click the name of the SAML portal. In this example, click My_Okta.
  2. Complete the authentication process in Okta.
    After successful authentication, the user can get access to the resource.