OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide

Deployment Overview

You can configure Single Sign-On to use SAML authentication and enable your users to log in through one portal and get access to multiple services.

This integration guide describes how to set up SAML authentication through the WatchGuard Access Portal with OneLogin as the Identity Provider.

This integration guide describes two configurations for Access Portal SAML authentication based on the different versions of Fireware. We recommend that you upgrade to Fireware v12.11 or higher.

Contents

Integration Summary

The hardware and software used in this guide include:

  • OneLogin administrator account
  • WatchGuard Firebox:
    • Fireware v12.11 or higher
    • Fireware v12.10 or lower
    • Feature key with an Access Portal license

Test Topology

This integration uses OneLogin Portal to communicate with a WatchGuard Firebox over a public Internet connection.

Screenshot of Topology diagram

Configure the Access Portal for SAML Authentication with OneLogin

The steps to configure the Access Portal for SAML authentication with OneLogin are different based on the version of Fireware that you have.

The WatchGuard Access Portal is a subscription service, before you can enable the Access Portal feature and configure it on your Firebox, you must add an Access Portal license to your Firebox feature key.

Complete the steps in this section to configure the Access Portal for SAML authentication with OneLogin with Fireware v12.11 or higher.

Enable the Firebox SAML Authentication Server

To enable the Firebox SAML authentication server:

  1. Log in to Fireware Web UI (https://your Firebox IP address:8080).
  2. From the left navigation, select Authentication > Servers.

    3. Screenshot of Firebox, Firebox Auth Server setup 1

  3. Select the SAML tab.
    The SAML page opens.
  4. Select the Enable SAML check box.
  5. In the Service Provider (SP) Settings section, enter this information:
    You add the IdP settings later in this process.
    • IdP Name — Enter a name to identify the SAML authentication server in other Firebox settings. In this example, we use My_OneLogin.
    • Host Name — Enter the fully qualified domain name that resolves to the Firebox external interface.
  6. Leave the IdP Metadata URL text box blank for now, and leave memberOf as the default Group Attribute Name. We will configure the identity provider settings later.

    7. Screenshot of Firebox, Firebox Auth Server setup 2

  7. Click Save.

Enable and Configure the Firebox Access Portal

To configure the Access Portal on your Firebox:

  1. From the navigation, select Subscription Services > Access Portal.
    The Access Portal page appears with the Applications tab selected by default.
  2. Select the Enable Access Portal check box.

    3. Screenshot of Firebox, Firebox Access Portal config 1

  3. Select the User Connection Settings tab.
  4. In the Authentication Servers section, from the Authentication Servers drop-down list, select the SAML authentication server you created. For our example, we select My_OneLogin.
  5. Click Add.

    6. Screenshot of Firebox, Firebox Access Portal config 3

  6. Click Save.
  7. Copy the SP Metadata URL, then click Done.
  8. Open a web browser and go to the SP Metadata URL (https://Host name or Firebox IP address/auth/saml). If you configure an Access Portal port other than 443, you must navigate to https://Firebox interface IP address:custom port number/auth/saml.
    The configuration instructions page appears.

    Several Firebox features use SSL/TLS for secure communication. For more information, see Shared Settings and Policy.

  9. Make sure you have this SP information from Option 2. You need this information when you configure OneLogin.
    • SAML Entity ID — https://host name/auth/saml
    • Assertion Consumer Service (ACS) URL — https://host name/auth/saml/acs
    • Single Logout Service (SLS) URL — https://host name/auth/saml/sls
    • X.509 Certificate

    10. Screenshot of SAML 2.0 configration for access portal

Configure OneLogin

To configure OneLogin:

  1. Log in to your OneLogin Administration panel.
  2. From the top navigation bar, select Applications > Applications, then click Add App.
  3. In the search text box, type SAML Test Connector.
    A list of connector options appears.
  4. Select SAML Custom Connector (Advanced).

    5. Screenshot of OneLogin, OneLogin setup 1

  5. On the Portal page, in the Display Name text box, type a descriptive name. For our example, we type WatchGuard Firebox Access Portal (SAML).
  6. (Optional) To enable your users to see the configuration in the OneLogin portal, select Visible in portal.
  7. (Optional) Select an icon option and upload the icon.

    8. Screenshot of OneLoin, OneLogin setup 2

  8. Click Save.
    Your SAML application page opens.
  9. From the left navigation, select Configuration.

    10. Screenshot of OneLoin, OneLogin setup 3

  10. Specify these settings:

    11. RelayState

    Leave this value blank.

    Audience (EntityID)

    https://your host name/auth/saml

    This is the SAML Entity ID value from the Access Portal configuration page.

    Recipient

    https://your host name/auth/saml/acs

    This is the Assertion Consumer Service (ACS) URL value from the Access Portal configuration page.

    ACS (Consumer) URL Validator

    https://your host name/auth/saml/acs

    This is the Assertion Consumer Service (ACS) URL value from the Access Portal configuration page.

    ACS (Consumer) URL:

    https://your host name/auth/saml/acs

    This is the Assertion Consumer Service (ACS) URL value from the Access Portal configuration page.

    Single Logout URL

    https://your host name/auth/saml/sls

    This is the Single Logout Service (SLS) URL value from the Access Portal configuration page.

    Screenshot of OneLogin, OneLogin setup 4

  11. From the SAML signature element drop-down list, select Assertion.
  12. Select the Encryption assertion check box.
  13. From the SAML encryption method drop-down list, select AES-256-CBC.
  14. Leave the default value for all other settings.

    15. Screenshot of OneLogin, OneLogin setup 5

  15. Click Save.
  16. From the left navigation, select the Configuration tab.
  17. Scroll to the bottom and from the SAML Encryption section, for the Public key, paste the certificate you copied from the previous section.

    18. Screenshot of OneLogin, OneLogin setup 6

  18. From the left navigation, select Parameters.
  19. In the Credentials are section, select Configured by admin.
  20. Verify that the NameID value setting is Email.

    21. Screenshot of OneLogin, OneLogin setup 7

  21. Click to add a new field for group authentication. If you only want to use user authentication, skip Steps 21–26.
  22. In the Field name text box, type memberOf.
  23. Select the Include in SAML assertion check box.

    24. Screenshot of OneLogin, OneLogin8

  24. Click Save.
  25. From the Value drop-down list, select MemberOf.

    26. Screenshot of OneLogin, OneLogin9

  26. Click Save.

    27. Screenshot of OneLogin, OneLogin setup 8

  27. From the left navigation, select SSO.
  28. From the SAML Signature Algorithm drop-down list, select SHA-256.
  29. Copy the value of the Issuer URL. You need this value when you configure the Access Portal. This value is the IdP Metadata URL in the Access Portal.
  30. To enable assumed sign-in, select the Allow assumed users to sign into this app check box.
  31. Leave the default value for all other settings.

    32. Screenshot of OneLogin, OneLogin setup 9

  32. Click Save.
  33. If you do not have any groups or users, complete Steps 34-40 to create a test group and test user. If you already have users and groups, go to Step 41.
  34. From the top navigation bar, select Users > Groups, then click New Group.
  35. In the Untitled Group text box, type a descriptive name for the group.
  36. From the Security policy drop-down list, select Default policy.

    37. Screenshot of OneLogin, OneLogin12

  37. Click Save.
  38. From the top navigation bar, select Users > Users, then click New User.
  39. Fill in the required information and email address.

    40. Screenshot of OneLogin, OneLogin13

  40. Click Save User.
  41. From the top navigation bar, select Users > Users and select a user for configuration.
  42. (Optional) If this is a new user, from the More Action drop-down list, select Change Password to change the user's password first.
  43. Select the Authentication tab, and from the Group drop-down list, select the group you want to assign to the user.
  44. Select the Applications tab, then click to assign applications to the user.
  45. From the Select application drop-down list, select the SAML application you created.

    46. Screenshot of OneLogin, OneLogin setup 10

  46. Click Continue.
  47. Select the Allow the user to sign in check box.
  48. Verify the value of NameID value is the email address of the user.
  49. In the memberOf text box, type the group name you created.

    50. Screenshot of OneLogin, OneLogin15

  50. Click Save.
  51. Click Save User.

Complete SAML Authentication Server Setup

  1. Log in to Fireware Web UI.
  2. From the left navigation, select Authentication > Servers.
  3. Select SAML.
  4. In the IdP Metadata URL text box, paste the value of the Issuer URL you copied from the OneLogin setup.

    5. Screenshot of Firebox, Firebox Auth Server setup 3

  5. Click Save.

Complete the Firebox Access Portal Setup

  1. Log in to Fireware Web UI.
  2. From the navigation, select Subscription Services > Access Portal.
    The Access Portal page appears with the Applications tab selected by default.
  3. If you do not have any applications in the Access Portal, complete Steps 4-8 to add a web application to the Access Portal. To learn how to add other applications to Access Portal, go to Configure the Access Portal.
  4. From the Applications section, click Add. In this example, we use Web Application.
    The selected application page opens.
  5. In the Name text box, type a description name.
  6. In the URL text box, type a URL address.

    7. Screenshot of Firebox, Firebox Access Portal setup 2

  7. Click OK.
  8. Click Save.

    9. Screenshot of Firebox, Firebox Access Portal config 2

  9. For the rest part of this section, we show the steps to configure group or user authentication. If you allow all applications to be available to all users and groups authenticated with the Access Portal, skip to the Test the Integration section.
  10. From the left navigation, select Authentication > Users and Groups.
  11. Click Add. You can add a user for user authentication or a group for group authentication. In our example, we add a group for group authentication. If you want to add a user, the user name must be the same as the user's email address in OneLogin.
    The Add User or Group page appears.
  12. For Type, select Group.
  13. In the Name text box, type a name for the group. The group name must be the same as the group name of memberOf in OneLogin.
  14. From the Authentication Server drop-down list, select the authentication server where the user or group exists.

    15. Screenshot of Firebox, Firebox4

  15. Click OK.
  16. Click Save.
  17. From the left navigation, select Subscription Services > Access Portal, then select the User Connection Settings tab.
  18. In the User Access section, select Specify the applications available to each user and group, then click Add below.
    The Add User or Group page opens.
  19. From the Authentication Server drop-down list, select the authentication server.
  20. From the Type drop-down list, select Group.
  21. In the Name text box, type the group name. The group name must be the same as the group name of memberOf in OneLogin.
  22. Select the applications that are available to this group.

    23. Screenshot of Firebox, Firebox Access Portal setup 4

  23. Click OK.
  24. Click Save.

Complete the steps in this section to configure the Access Portal for SAML authentication with OneLogin with Fireware v12.10 and lower.

Enable the Firebox Access Portal

To enable the Access Portal on your Firebox:

  1. Log in to Fireware Web UI (https://your Firebox IP address:8080).
  2. From the navigation, select Subscription Services > Access Portal.
    The Access Portal page appears with the Applications tab selected by default.
  3. Select the Enable Access Portal check box.

    4. Screenshot of Firebox, Firebox1

  4. Select the SAML tab.
  5. Select the Enable SAML check box.
  6. In the Service Provider (SP) Settings section, enter this information:
    You add the IdP settings later in this process.
    • IdP Name — Enter a name for the SAML authentication to appear in other Firebox settings as the server name. In this example, we use My_OneLogin.
    • Host Name — Enter the fully qualified domain name that resolves to the Firebox external interface.

    7. Screenshot of Firebox, Firebox2

  7. Click Save.
  8. Go to https://<host name>/auth/saml.
  9. Make sure you have this SP information from Option 2, you need this information when you configure OneLogin
    • SAML Entity ID — https://host name/auth/saml
    • Assertion Consumer Service (ACS) URL — https://host name/auth/saml/acs
    • Single Logout Service (SLS) URL — https://host name/auth/saml/sls
    • X.509 Certificate — Copy this value

    10. Screenshot of SAML 2.0 configration for access portal

Configure OneLogin

  1. Log in to your OneLogin Administration panel.
  2. From the top navigation bar, select Applications > Applications, then click Add App.
  3. In the search text box, type SAML Custom Connector.
    A list of connector options appears.
  4. Select SAML Custom Connector (Advanced).

    5. Screenshot of OneLogin, OneLogin setup 1

  5. On the Portal page, in the Display Name text box, type a descriptive name. For our example, we type WatchGuard Firebox Access Portal (SAML).
  6. (Optional) To enable your users to see the configuration in the OneLogin portal, select Visible in portal.
  7. (Optional) Select an icon option and upload the icon.

    8. Screenshot of OneLoin, OneLogin setup 2

  8. Click Save.
    Your SAML application page opens.
  9. From the navigation, select Configuration .

    10. Screenshot of OneLoin, OneLogin setup 3

  10. Specify these settings:

    11. RelayState

    Leave this value blank.

    Audience (EntityID)

    https://your host name/auth/saml

    This is the SAML Entity ID value from the Access Portal configuration page.

    Recipient

    https://your host name/auth/saml/acs

    This is the Assertion Consumer Service (ACS) URL value from the Access Portal configuration page.

    ACS (Consumer) URL Validator

    https://your host name/auth/saml/acs

    This is the Assertion Consumer Service (ACS) URL value from the Access Portal configuration page.

    ACS (Consumer) URL:

    https://your host name/auth/saml/acs

    This is the Assertion Consumer Service (ACS) URL value from the Access Portal configuration page.

    Single Logout URL

    https://your host name/auth/saml/sls

    This is the Single Logout Service (SLS) URL value from the Access Portal configuration page.

    Screenshot of OneLogin, OneLogin setup 4

  11. From the SAML signature element drop-down list, select Assertion.
  12. Select the Encryption assertion check box.
  13. From the SAML encryption method drop-down list, select AES-256-CBC.
  14. Keep the default values for all other settings.

    15. Screenshot of OneLogin, OneLogin setup 5

  15. Click Save.
  16. From the left navigation, select the Configuration tab again.
  17. Scroll to the bottom, from the SAML Encryption section, for the Public key, paste the certificate you copied from the previous section.

    18. Screenshot of OneLogin, OneLogin setup 6

  18. From the navigation, select Parameters.
  19. In the Credentials are section, select Configured by admin.
  20. Verify that the NameID value setting is Email.

    21. Screenshot of OneLogin, OneLogin setup 7

  21. Click to add a new field for group authentication. If you only want to use user authentication, skip steps 21–26.
  22. In the Field name text box, type memberOf.
  23. Select the Include in SAML assertion check box.

    24. Screenshot of OneLogin, OneLogin8

  24. Click Save.
  25. From the Value drop-down list, select MemberOf.

    26. Screenshot of OneLogin, OneLogin9

  26. Click Save.

    27. Screenshot of OneLogin, OneLogin setup 8

  27. From the left navigation, select SSO.
  28. From the SAML Signature Algorithm drop-down list, select SHA-256.
  29. Copy the value of the Issuer URL. You need this URL to configure the Firebox Access Portal SAML IdP Metadata URL.
  30. To enable assumed sign-in, select the Allow assumed users to sign into this app check box.
  31. Keep the default values for all other settings.

    32. Screenshot of OneLogin, OneLogin setup 9

  32. Click Save.
  33. If you do not have any groups or users, follow steps 35-41 to create a test group and a test user. If you already have users and groups, go to Step 42.
  34. From the top navigation bar, select Users > Groups, then click New Group.
  35. In the Untitled Group text box, type a descriptive name for the group.
  36. From the Security policy drop-down list, select Default policy.

    37. Screenshot of OneLogin, OneLogin12

  37. Click Save.
  38. From the top navigation bar, select Users > Users, then click New User.
  39. Fill in the Email address and other required information.

    40. Screenshot of OneLogin, OneLogin13

  40. Click Save User.
  41. From the top navigation bar, select Users > Users and select a user for configuration.
  42. (Optional) If this is a new user, from the More Action drop-down list, select Change Password to change the user's password first.
  43. Select the Authentication tab, from the Group drop-down list, select the group you want to assign for.
  44. Select the Applications tab, then click to assign an application to the user.
  45. From the Select application drop-down list, select the SAML application you created.

    46. Screenshot of OneLogin, OneLogin setup 10

  46. Click Continue.
  47. Select the Allow the user to sign in check box.
  48. Verify the value of NameID value is the email address of the user.
  49. In the memberOf text box, type the name of the group to which this user belongs.

    50. Screenshot of OneLogin, OneLogin15

  50. Click Save.
  51. Click Save User.

Complete the Firebox Access Portal Setup

To complete the Firebox Access Portal setup:

  1. Log in to Fireware Web UI, and from the navigation, select Subscription Services > Access Portal.
  2. Select the SAML tab.
  3. In the IdP Metadata URL text box, paste the value of the Issuer URL you copied from the OneLogin setup.

    4. Screenshot of Firebox, Firebox Access Portal setup 1

  4. Click Save.
  5. If you do not have any applications in the Access Portal, follow Steps 6-10 to add a web application to the Access Portal. To learn how to add other applications to the Access Portal, see Configure the Access Portal.
  6. From the Applications section, click Add. In this example, we use Web Application.
    The selected application page opens.
  7. Click the Applications tab, then click Add. In our example, we select the Web Application.
  8. In the Name text box, type a description name.
  9. In the URL text box, type a URL address.

    10. Screenshot of Firebox, Firebox Access Portal setup 2

  10. Click OK.
  11. Click Save.

    12. Screenshot of Firebox, Firebox Access Portal setup 3

  12. For the rest part of this section, we show the steps to configure group or user authentication. If you allow all applications to be available to all users and groups authenticated with the Access Portal, skip to the test section.
  13. From the left navigation, select Authentication > Users and Groups.
  14. Click Add. You can add a user for user authentication or a group for group authentication. In our example, we add a group for group authentication. If you want to add a user, the user name must be the same as the user's email address in OneLogin.
    The Add User or Group page appears.
  15. For Type, select Group.
  16. In the Name text box, type a name for the group. The group name must be the same as the group name of memberOf in OneLogin.
  17. From the Authentication Server drop-down list, select the authentication server where the user or group exists.

    18. Screenshot of Firebox, Firebox4

  18. Click OK.
  19. Click Save.
  20. From the left navigation, select Subscription Services > Access Portal, then select the User Connection Settings tab.
  21. In the User Access section, select Specify the applications available to each user and group, then click Add below.
    The Add User or Group page opens.
  22. From the Authentication Server drop-down list, select the authentication server.
  23. From the Type drop-down list, select Group.
  24. In the Name text box, type the group name. The group name must be the same as the group name of memberOf in OneLogin.
  25. Select the applications that are available to this group.

    26. Screenshot of Firebox, Firebox Access Portal setup 4

  26. Click OK.
  27. Click Save.

Test the Integration

After you have completed these configuration steps, users in the group you added can sign in to either the OneLogin account or to a resource configured with OneLogin Single Sign-On.

  1. Type the URL for the Access Portal in this format: https://Host Name of Firebox SAML Authentication Server.
    The Log In page appears with the name of the SAML portal you configured at the top of the page.

    2. Screenshot of Test integration

  2. To log in, click the name of the SAML portal. In this example, we click My_OneLogin.
  3. Complete the authentication process in OneLogin.
    After successful authentication, the user can get access to the resource.

    4. Screenshot of Test result 1