Okta SAML Authentication with WatchGuard Access Portal Integration Guide

This document describes how to set up SAML authentication through the WatchGuard Access Portal with Okta as the Identity Provider.

You can configure Single Sign-On to use SAML authentication and enable your users to log in through one portal and get access to multiple services.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Okta
  • WatchGuard Firebox:
    • Fireware v12.10
    • Feature key with an Access Portal license

Test Topology

This integration uses Okta Identity Cloud services to communicate with a WatchGuard Firebox over a public Internet connection:

The Screnshot of Topology

Configure Your Firebox for Okta

The WatchGuard Access Portal is a subscription service. Before you can configure Access Portal on your Firebox, your feature key must have an active Total Security Suite license.

To configure the Access Portal settings on your Firebox for Okta, from Fireware Web UI:

  1. Log in to Fireware Web UI.
  2. Select Subscription Services > Access Portal.
    The Access Portal page opens.

Screenshot of Firebox, Enabling Access Portal

  1. Select the Enable Access Portal check box.
  2. Select the SAML tab.

Screenshot of Firebox, Enabling SAML

  1. Select the Enable SAML check box.
  2. In the Service Provider (SP) Settings section, provide these details:
    You add the IdP settings later in this process.
    • IdP Name — Specify a name for the SAML authentication to appear in other Firebox settings as the server name. In this example, we use My_Okta.
    • Host Name — Specify the fully qualified domain name that resolves to the Firebox external interface.
  3. Click Save.
  4. Open a web browser, and go to https://<host name or IP Address>/auth/saml. If you configure an Access Portal port number other than 443, you must go to https://<Firebox interface IP address>:<custom port number>/auth/saml.
    The configuration instructions page appears.

    Several Firebox features uses SSL/TLS for secure communication. For more information, go to Shared Settings and Policy.

  5. Copy these values from the configuration instructions page:
    • SAML Entity ID in this format: https://<host name>/auth/saml
    • Assertion Consumer Service (ACS) URL in this format: https://<host name>/auth/saml/acs
    • Single Logout Service (SLS) URL in this format: https://<host name>/auth/saml/sls
  6. Click Download Certificate.

Screenshot of Firebox, configuration page

Configure Okta

To configure Okta, complete these steps:

  1. Add an Okta Group and User
  2. Configure a SAML 2.0 Application

Add an Okta Group and User

To add an Okta group and user:

  1. Log in to the Okta Admin Console.
  2. Select Directory > Groups > Add Group.
  3. In the Name text box, type a group name.

Screenshot of Okta, adding Group

  1. Click Save.
  2. To add a user in Okta, select Directory > People > Add Person.
    You can add your own user information.

Screenshot of Okta, adding a person

  1. On the Add Person page, type the required details, then click Save.

You can import users and groups from Active Directory to Okta. For more information, go to the Okta documentation.

Configure a SAML 2.0 Application

To configure a SAML 2.0 application:

  1. Select Applications > Applications.
    The Applications page opens.

Screenshot of Okta, creating Okta applications

  1. Click Create App Integration.
    The Create a New App Integration page opens.

Screenshot of Okta,okta SAML 2.0

  1. Select SAML 2.0 as the sign-in method, then click Next.
    The Create SAML Integration page opens.

Screenshot of Okta, general settings in SAML Intergration

  1. In the App Name text box, type a name.
  2. (Optional) To upload a logo, from the App Logo section, click the Upload icon, then select an image to upload.
  3. Click Next.
    The Configure SAML tab opens.

Screenshot of Okta, configure SAML

  1. On the SAML Settings page, in the General section, configure these settings:

Single Sign On URL

Type or paste the URL in this format: https://<host name>/auth/saml/acs

The WatchGuard label is the Assertion Consumer Service (ACS) URL.

Audience URL (SP Entity ID)

Type or paste the URL in this format: https://<host name>/auth/saml

The WatchGuard label is the SAML Entity ID.

Leave the Default RelayState text box blank.

Name ID Format

Select Unspecified.

Application Username

Select Email.

Update Application Username On

Select Create and Update.

  1. Click Show Advanced Settings, then specify these settings:

Response

Select Signed.

Assertion Signature

Select Signed.

Signature Algorithm

Select RSA-SHA256.

Digest Algorithm

Select SHA256.

Assertion Encryption

Select Encrypted.

Encryption Algorithm

Select AES256-CBC.

Key Transport Algorithm

Select RSA-OAEP.

Encryption Certificate

Click Browse Files, then select the certificate you downloaded from the WatchGuard SAML 2.0 Configuration for WatchGuard Access Portal in the Configure Your Firebox for Okta section of this document.

Screenshot of Okta, advanced settings 001

  1. Keep the default values for other settings.
  2. In the Group Attribute Statements (optional) section:
    1. In the Name text box, type memberOf. This example uses group authentication. If you want to use user authentication, skip this step.
    2. From the Filter drop-down list, select Equals.
    3. In the adjacent text box, type the Okta group name you created.

Screenshot of Okta, group attribute

  1. Click Next.
  2. In the Are you a customer or partner? section, select one of these options:
    • I'm an Okta Customer Adding an Internal App — Most deployments are in this category.
    • I'm a Software Vendor. I'd Like to Integrate my App with Okta — Select this option if your company deploys a service for general public use.

Screenshot of Okta,Okta Feedback

  1. Click Finish.
  2. Select the Sign On tab.

Screenshot of Okta, Okta metadata details

  1. From the Metadata Details section, copy the text in the Metadata URL text box. The Okta Metadata URL is used in the WatchGuard Access Portal.
    The link is in this format: https://<okta account name>.okta.com/app/<random value>/sso/saml/metadata
  2. Select the Assignments tab.

Screenshot of Okta, assign to group

  1. Select Assign > Assign to Groups.
    If you select Assign to People, the user must belong to the group you configured in the Group Attribute Statements section.
  2. Select the group, then click Assign.
  3. Click Done.

Complete the WatchGuard SAML Setup

To complete the WatchGuard SAML setup, from Fireware Web UI:

  1. Log in to Fireware Web UI.
  2. Select Subscription Services > Access Portal.
  3. Select the SAML tab.
    The Access Portal page opens.

Screenshot of Firebox, IdP detadata URL

  1. From the Identity Provider (IdP) Settings section, in the IdP Metadata URL text box, type or paste the IdP Metadata URL you copied from Okta in the Configure a SAML 2.0 Application section of this document.
  2. Click Save.
  3. Select Authentication > Users and Groups.
  4. Click Add.
    The Add User or Group page opens. You can add a user or a group. The example in this document adds a group. If you add a user, the name of the user must match the name of the Okta user.
  5. For Type, select Group.
  6. In the Name text box, type a name for the group. The group name must be the same as the group name specified in the memberOf attribute on Okta.
  7. From the Authentication Server drop-down list, select the authentication server where the user or group exists. In this example, we select My_Okta.

Screenshot of Firebox, add groups

  1. Click OK.
  2. Click Save.
  3. To add an application to the Access Portal, select Subscription Services > Access Portal.
  4. From the Applications section, click Add. In this example, we use Web Application.
    The selected application page opens.

Screenshot of Firebox, web applicstion

  1. In the Name text box, type a descriptive name.
  2. In the URL text box, type the URL of the web application.
  3. Click OK.
  4. Click Save.
  5. Select the User Connection Settings tab.
  6. (Optional) To give all users and groups the permission to connect to all applications, in the User Access section, select All Applications are Available to All Users and Groups Authenticated With the Access Portal.
  7. To specify the applications a user and group can access, select Specify the Applications Available to Each User and Group.
  8. Click Add.
    The Add User or Group page opens.

Screenshot of Firebox, bound the resource to group

  1. From the Select a User or Group section, from the Authentication Server drop-down list, select the authentication server. In this example, we select My_Okta.
  2. From the Type drop-down list, select Group.
  3. In the Name text box, type the group name. The group name must be the same as the group name specified in the memberOf attribute on Okta.
  4. Select the applications that are available to this group.
  5. Click OK.
  6. Click Save.

Test the Integration

After you complete these configuration steps, users in the group you added can sign in to either the Okta account or to a resource configured with Okta SAML Single Sign-On.

To test the integration:

  1. In a web browser, go to the Access Portal URL (https://<Host Name or IP address>).

Screenshot of Test integration

  1. To log in, click the name of the SAML portal. In this example, click My_Okta.
  2. Complete the authentication process in Okta.
    After successful authentication, the user gets access to the resource.

Screenshot of Test integration 002