Contents

One Login SAML Authentication with WatchGuard Access Portal Integration Guide

Deployment Overview

You can configure Single Sign-On to use SAML authentication and enable your users to log in through one portal and get access to multiple services.

This document describes how to set up SAML authentication through the WatchGuard Access Portal with OneLogin as the Identity Provider.

Integration Summary

Hardware and Service Versions:

  • OneLogin Portal:
    • November 2017
  • WatchGuard FireboxV :
    • Fireware OS v12.1
    • Feature key with an Access Portal license

Test Topology

This integration uses OneLogin Portal to communicate with a WatchGuard Firebox over a public internet connection.

Configure Your Firebox for OneLogin

Because the WatchGuard Access Portal is a subscription service, before you can enable the Access Portal feature and configure it on your Firebox, you must add an Access Portal license to your Firebox feature key.

To configure the Access Portal settings on your Firebox for OneLogin, from Fireware Web UI:

  1. Select Subscription Services > Access Portal.
    The Access Portal page appears with the Applications tab selected by default.
  2. Select the Enable Access Portal check box.


  1. Click Save
  2. Select the User Connection Settings tab. Click Configure.
    The SAML tab appears.
  3. Select the Enable SAML check box.
  4. In the Service Provider (SP) Settings section, type the IdP Name and Host Name.
    You add the IdP settings later in this process.
    •  IdP Name — Specify a name for the SAML authentication to appear in other Firebox settings as the server name.
    •  Host Name — Specify the fully qualified domain name that resolves to the Firebox external interface.


  1. Select Save.
  2. Go to https://<host name>/auth/saml.
  3. Make sure you have this information from the /auth/saml page:
    • SAML Entity ID in this format: https://<host name>/auth/saml.
    • Assertion Consumer Service (ACS) URL in this format: https://<host name>/auth/saml/acs.
    • Single Logout Service (SLS) URL in this format: https://<host name>/auth/saml/sls.
    • Copy the certificate.

Configure Your OneLogin Portal

To import the information from the WatchGuard Web UI and to get the IdP Metadata URL:

  1. Log in to your OneLogin account.
  2. Select Apps > Add Apps.
  3. In the search text box, type SAML Test Connector.
    A list of connector options appears.
  4. Select SAML Test Connector (IDP) w/encrypt signed assertions.

  1. On the Configuration page, in the Display Name text box, type a descriptive name for this configuration.
  2. To enable your users to see the configuration in the portal, select Visible in portal. Select an icon option:
    • Rectangular Icon
    • Square Icon

  1. Click Save.
  2. To create a group for users, select Users > Groups > New Group.
  3. In the Group Security Policy text box, type a descriptive name for the group.
  4. From the Security Policy drop-down list, select Default policy.


  1. Click Save.
  2. To add a user in OneLogin, select Users > All Users > New User.

  1. In the Groups section, from Group drop-down list, select the group you created.


  1. Click Save User.
  2. Select Users > All Usersand select the user you created.
  3. Select the Authentication tab.
  4. From the User Security Policy drop-down list, select Default policy.

  1. Select the Applications tab.
  2. Verify the SAMLTest Connector appears in the Applications list.

  1. Select the SAML Test Connector application.
    The Edit SAML Test Connector appears.
  2. To enable users to sign in, select the Allow user to sign in check box.
  3. Verify that the NameID is the email address of the user you created.

  1. Click Save
  2. Click Save User.

SAML Configuration in OneLogin App

  1. Select Apps > Company Apps.
  2. Select the Configuration tab.
  3. Specify these settings:

RelayState

Leave blank.

Audience

https://<your host name>/auth/saml

The label in the Access Portal pages is SAML Entity ID.

Recipient

https://<your host name>/auth/saml/acs

The label in the Access Portal pages is Assertion Consumer Service (ACS) URL.

ACS (Consumer) URL Validator

https://<your host name>/auth/saml/acs

The label in the Access Portal pages is Assertion Consumer Service (ACS) URL.

ACS (Consumer) URL:

https://<your host name>/auth/saml/acs

The label in the Access Portal pages is Assertion Consumer Service (ACS) URL.

Single Logout URL

https://<your host name>/saml/sls

  1. In the Public Key text box, paste the certificate you copied from the WatchGuard SAML 2.0 Configuration for WatchGuard Access Portal.


  1. Select the Parameters tab.
  2. In the Credentials are section, select Configured by admin or Configured by admins and shared by all users based on your company's credential policy.
  3. Vericy that the NameID setting is Email.

  1. Select the SSO tab.
  2.  Save a copy of the Issuer URL.
    You will add this URL in the SAML configuration under the IdP Metadata URL.
  3. From the SAML Signature Algorithm drop-down list, select SHA-256.
  4. To enable assumed sign-in, select the Allow assumed users to sign into this app check box.

  1. Click Save.

Complete the WatchGuard SAML Setup

From Fireware Web UI:

  1. Select Subscription Services > Access Portal.
  2. Select the User Connection Settings tab.
  3. Select Configure > SAML.
  4. In the IdP Metadata URL text box, paste the Issuer URL you copied from the OneLogin setup.

  1. Click Save.

Test the Integration

Now you can test the integration with the group name you created.

From Fireware Web UI:

  1. Select Authentication > Users and Groups.
  2. Click Add.
    The Add User or Group page appears.
  3. Type the the Name and Description of the group.
  4. From the Authentication Server drop-down list, select the authentication server where the user or group exists.


  1. Click OK.
    The Users and Groups page appears.
  1. Click Save.
  2. To add an RDP Host to the Access Portal, select Subscription Services > Access Portal.
  3. Click Add. Select the Host Desktop Access (RDP).
    The RDP Host page appears.
  4. From the Authentication Server drop-down list, select the name of the SAML configuration.
  5. From the Type drop-down list, select Group.
  6. In the Name text box, type the name of the group you created.

After you have completed these configuration steps, users in the group you added can sign in to either the OneLogin account or to a resource configured with OneLogin Single Sign-On.

  1. Type the URL for the portal in this format: https://<host name>.
    The Log In page appears with the name of the SAML portal you configured at the top of the page.


  1. To log in, click the name of the SAML portal.
    In this example, click MY_ONELOGIN.
    The user can now get access to the resource.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search