Okta SAML Authentication with WatchGuard Access Portal Integration Guide
Deployment Overview
You can configure Single Sign-On to use SAML authentication and enable your users to log in through one portal and get access to multiple services.
This document describes how to set up SAML authentication through the WatchGuard Access Portal with Okta as the Identity Provider.
Integration Summary
Hardware and Service versions:
- Okta
- WatchGuard Firebox M400:
- Fireware OS v12.7.2
- Feature key with an Access Portal license
Test Topology
This integration uses Okta Identity Cloud services to communicate with a WatchGuard Firebox over a public Internet connection.
Configure Your Firebox for Okta
The WatchGuard Access Portal is a subscription service. Before you can configure Access Portal on your Firebox, you must have an active Total Security Suite license in your Firebox feature key.
To configure the Access Portal settings on your Firebox for Okta:
- Log in to Fireware Web UI.
- Select Subscription Services > Access Portal.
- Select the Enable Access Portal check box.
- Select the SAML tab.
The SAML tab appears. - Select the Enable SAML check box.
- In the Service Provider (SP) Settings section, type the IdP Name and Host Name.
You add the IdP settings later in this process.- IdP Name — Specify a name for the SAML authentication to appear in other Firebox settings as the server name.
- Host Name — Specify the fully qualified domain name that resolves to the Firebox external interface.
- Click Save.
- Go to https://<host name>/auth/saml.
- Make sure you have this information from the /auth/saml page:
- SAML Entity ID in this format: https://<host name>/auth/saml
- Assertion Consumer Service (ACS) URL in this format: https://<host name>/auth/saml/acs
- Single Logout Service (SLS) URL in this format: https://<host name>/auth/saml/sls
- Download the certificate.
Configure Okta
Add an Okta Group and User
- Log in to the Okta Admin Console.
- Select Directory > Groups > Add Group.
- In the Name text box, type a group name.
- Click Add Group.
- To add a user in Okta, select Directory > People > Add Person.
You can add your own user information.
- Click Save.
You can import users and groups from Active Directory to Okta. For more information, see the Okta documentation.
Configure SAML 2.0 Application
- Select Applications > Applications.
- Click Create App Integration.
The Create New App Integration page opens.
- On the Create a New App Integration page, select SAML 2.0. Click Next.
- In the App Name text box, type a name.
- (Optional) To upload a logo, use App Logo. Click the Upload icon, then select an image to upload.
- Click Next.
- On the SAML Settings page, in the General section, configure these settings:
Single Sign On URL
Type the URL in this format: https://<host name>/auth/saml/acs
The WatchGuard label is the Assertion Consumer Service (ACS) URL.
Audience URI (SP Entity ID)
Type the URI in this format: https://<host name>/auth/saml
The WatchGuard label is the SAML Entity ID.
Leave the Default RelayState blank.
Name ID Format
Select Unspecified.
Application Username
Select Email.
- Click Show Advanced Settings, and specify these settings:
Response
Select Signed.
Assertion Signature
Select Signed.
Signature Algorithm
Select RSA-SHA256.
Digest Algorithm
Select SHA256.
Assertion Encryption
Select Encrypted.
Encryption Algorithm
Select AES256-CBC.
Key Transport Algorithm
Select RSA-OAEP.
Encryption Certificate
Click Browse Files and select the certificate you downloaded from the WatchGuard SAML 2.0 Configuration for WatchGuard Access Portal in the previous section.
- Keep the default value for other settings.
- In the Group Attribute Statements (optional) section, in the Name text box, type memberOf. This example uses group authentication. If you want to use user authentication, skip steps 10 through 12.
- From the Filter drop-down list, select Equals.
- In the adjacent text box, type the Okta group name you created.
- Click Next.
- In the Are you a customer or partner? section, select an option:
- I'm an Okta customer adding an internal app — Most deployments are in this category.
- I'm a software vendor. I'd like to integrate my app with Okta — Select this option if your company is deploying a service for general public use.
- Click Finish.
- Select the Sign On tab.
- Below the View Setup Instructions button, copy the Identity Provider Metadata link.
The link is in this format: https://<okta account name>.okta.com/app/<random value>/sso/saml/metadata
- Select the Assignments tab.
- Select Assign > Assign to Groups.
If you select Assign to People, the user must belong to the group you configured in the Group Attribute Statements section. - Select the group and click Assign.
- Click Done.
Complete the WatchGuard SAML Setup
From Fireware Web UI:
- Select Subscription Services > Access Portal.
- Select the SAML tab.
- In the Identity Provider (IdP) Settings section, in the IdP Metadata URL text box, type or paste the IdP Metadata URL you copied from Okta in the previous section.
- Click Save.
- Select Authentication > Users and Groups.
- Click Add.
The Add User or Group page opens. You can add a user or a group. The example on this page adds a group. If you add a user, the name of the user must match the name of the Okta user. - For Type, select Group.
- In the Name text box, type a name for the group. The group name must be the same as the group name of memberOf on Okta.
- From the Authentication Server drop-down list, select the authentication server where the user or group exists.
- Click OK.
- Click Save.
- To add an application to the Access Portal, select Subscription Services > Access Portal.
- In the Applications section, click Add. In this example, select the Web Application.
- In the Name text box, type a descriptive name.
- In the URL text box, type the URL address.
- Click OK.
- Click Save.
- Select the User Connection Settings tab.
- (Optional) To give all users and groups permission to connect to all applications, in the User Access section, select All applications are available to all users and groups authenticated with the Access Portal.
- To specify which users and groups can access which applications, select Specify the applications available to each user and group.
- Click Add.
- From the Authentication Server drop-down list, select the authentication server.
- From the Type drop-down list, select Group.
- In the Name text box, type the group name. The group name must be the same as the group name of memberOf on Okta.
- Select the applications that are available to this group.
- Click OK.
- Click Save.
Test the Integration
After you have completed these configuration steps, users in the group you added can sign in to either the Okta account or to a resource configured with Okta SAML Single Sign-On.
- Type the URL for the portal in this format: https://<host name>.
The login page opens with the name of the SAML portal you configured previously.
- To log in, click the name of the SAML portal. In this example, click My_Okta.
- Complete the authentication process in Okta.
After successful authentication, the user can get access to the resource.