Firebox Authentication Portal SAML Integration with Duo and Active Directory

This integration guide describes how to set up SAML authentication between the Firebox Authentication Portal and Duo and Active Directory so that users must authenticate when they connect to the Firebox over port 4100. Active Directory provides the primary authentication and Duo Single Sign-On (SSO) completes the secondary authentication.

Duo Single Sign-On does not officially support single logout (SLO).

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11 or higher

Topology

Duo communicates with various cloud-based services and service providers with the SAML protocol. This integration uses Duo to communicate with WatchGuard Firebox over a public Internet connection.

Diagram of the integration topology with Duo, Active Directory, and the Firebox

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Duo administrator account.
  • A token is assigned to a user in Duo mobile. The user must have an email address with Permitted Email Domains verified in the Duo Single Sign-On.
  • A server is configured to host the Duo Authentication proxy. For more information, go to Duo Authentication Proxy in the Duo documentation.
  • You have service account credentials for the Active Directory.
  • You have a domain that can be managed by your DNS hosting provider to verify the authentication user email domain with a TXT record.
  • The Firebox has Fireware v12.11 or higher installed.
  • You have a fully qualified domain name (FQDN) that can be resolved to the external IP address of Firebox.

Additional charges might apply for the use of Duo.

To set up multi-factor authentication (MFA) for your Firebox Authentication Portal with Duo and Active Directory, complete these steps:

  1. Enable the Firebox SAML Authentication Server
  2. Add Users or Groups for the SAML Authentication Server
  3. Configure a WG-Auth Firewall Policy
  4. Configure Duo
  5. Complete SAML Authentication Server Setup

Enable the Firebox SAML Authentication Server

To enable the Firebox SAML authentication server:

  1. Log in to Fireware Web UI at:
    https://<your Firebox IP address>:8080
  2. From the navigation menu, select Authentication > Servers.
  3. Select SAML.
    The SAML settings page opens.

    4. Screenshot of Firebox, Firebox Auth Server SAML Settings

  4. Select the Enable SAML check box.
  5. In the IdP Name text box, type a name for the identity provider. In our example, we type Duo-SAML.
  6. In the Host Name text box, type an FQDN that resolves to the Firebox external interface.
  7. Keep the IdP Metadata URL text box blank for now. You will add the IdP settings later.
  8. Click Save.

Add Users or Groups for the SAML Authentication Server

To add users or groups for the SAML authentication server:

  1. Log in to Fireware Web UI at:
    https://<your Firebox IP address>:8080
  2. From the navigation menu, select Authentication > Users and Groups.
  3. Click Add.
    The Add User or Group page opens.

    4. Screenshot of add User or Group

  4. For Type, select Group.

    There are two ways to manage your users. You can add a group that matches an Active Directory user group with the group distinguishedName, or you can add a user with a name that matches an Active Directory user sAMAccountName. In our example, we add a group, but you can add a user instead.

  5. In the Name text box, type your group name. This group name must exactly match the value of the distinguishedName parameter for your Active Directory group. This is case–sensitive.
  6. From the Authentication Server drop-down list, select the SAML authentication server you created in the Enable the Firebox SAML Authentication Server section. In this example, we select Duo-SAML.
  7. Click OK.
  8. Click Save.

Configure a WG-Auth Firewall Policy

The Authentication Portal is a page that the Firebox hosts. For the Firebox to allow connections to the Authentication Portal, you must add a WG-Auth firewall policy to the Firebox configuration. A WG-Auth policy allows TCP traffic on port 4100.

To configure a firewall policy:

  1. Log in to Fireware Web UI at:
    https://<your Firebox IP address>:8080
  2. Select Firewall > Firewall Policies.
  3. Click Add Policy.
    The Add Firewall Policy page opens.

    4. Screenshot of Firebox, Add Firewall Policy page

  4. From the Packet Filter drop-down list, select WG-Auth.
  5. Click Add Policy.
    The policy configuration page opens.

    6. Screenshot of Firebox, policy configuration page

  6. From the Settings tab:
    1. In the From section, specify the source of connections the policy applies to.
    2. In the To section, add the Firebox alias.
      For more information about how to configure the source and destination, go to Set Access Rules for a Policy.
  7. (Optional) Select the Send a Log Message check box.
  8. Click Save.
  9. Open a web browser and go to the SP Metadata URL at:
    https://[Host name or Firebox IP address]:4100/auth/saml
    The SAML 2.0 Configuration for WatchGuard Authentication Portal page opens.

    10. Screenshot of Firebox, Authentication Portal metadata

  10. From the Option 2 section, copy the values of these parameters to use when you configure the Authentication Portal as a service provider in Duo:
    • SAML Entity ID:
      https://<host name>:4100/auth/saml
    • Assertion Consumer Service (ACS) URL:
      https://<host name>:4100/auth/saml/acs
    • Single Logout Service (SLS) URL:
      https://<host name>:4100/auth/saml/sls
  11. To download the X.509 Certificate, click Download Certificate.

Configure Duo

To configure Duo, complete these steps:

  1. Configure Active Directory for Duo SSO
  2. Synchronize Users from Active Directory to Duo
  3. Configure the Authentication Portal as a Service Provider in Duo

Configure Active Directory for Duo SSO

The Duo Authentication Proxy receives authentication requests and performs primary authentication with Active Directory, then performs secondary authentication with Duo.

To configure Active Directory for Duo SSO:

  1. Install and configure Duo Authentication Proxy on your local network.
  2. Make sure the Authentication Proxy is connected to your directory domain.
  3. Configure Active Directory to authenticate with Duo SSO.
  4. To make sure your users log in to the correct sign-on account, add one or more Permitted Email Domains.
    Each Permitted Email Domain requires ownership verification. Once the DNS TXT record is verified, the Status column changes to Verified, and the users with the verified domain can log in to Duo SSO.
  5. To test your Active Directory configuration, before you save the configuration, connect to Authentication Proxies.

    6. For more information about how to configure Active Directory with Duo SSO, go to the Duo Single Sign-On documentation.

    After you configure Active Directory for Duo SSO, the status of the Active Directory Authentication Resource in Duo is Enabled.

    Screenshot of Duo, Single Sign-On page

  6. From the navigation menu, select Applications > Routing Rules.
    The Routing Rules page opens.

    7. Screenshot of Duo, Routing Rules page

  7. From the Use This Authentication Source drop-down list, select the authentication source you added. In our example, we select Active Directory.

    8. By default, your primary authentication source is configured as an authentication source for your routing rule. For additional authentication sources, make sure to set the default rule to the SAML authentication source you need. Alternatively, you can add a routing rule. For more information, go to How to Use Duo Single Sign-On in the Duo documentation.

  8. Click Save.

Synchronize Users from Active Directory to Duo

Before you synchronize users from Active Directory to Duo, you must:

  • Install and configure Duo Authentication Proxy on your local network.
  • Configure the Active Directory in Duo.
  • Verify the status of the Active Directory authentication source in Duo is Enabled.

You can sync the complete Active Directory, or the individual users, from Active Directory to Duo. To view the synchronized users or groups in Duo, go to the Users or Groups page.

The users you sync to Duo must have an email address with Permitted Email Domains verified in the Duo SSO configuration.

For more information about how to sync users from Active Directory to Duo, go to Active Directory Sync for Duo Users and Admins.

For more information about how to enroll users and activate Duo Mobile, go to Enroll Users.

Screenshot of Duo, External Directories page

Screenshot of Duo, synced group from AD

Configure the Authentication Portal as a Service Provider in Duo

Before you configure the service provider application, make sure you Configure Active Directory for Duo SSO and Synchronize Users from Active Directory to Duo.

To create a SAML application and configure the Authentication Portal as a service provider in Duo:

  1. Log in to the Duo Admin Panel.
  2. From the navigation menu, select Applications > Protect an Application.
    The Protect an Application page opens.

    3. Screenshot of Duo, Protect an Application page

  3. In the Application list, for Generic SAML Service Provider, click Protect.
    The Generic SAML Service Provider - Single Sign-On page opens.

    4. Screenshot of Duo, Generic SAML Service Provider Application

  4. (Optional) In the Application Name text box, type a name for this SAML application.
  5. For User Access:
    • To permit access for a specific group, select Enable Only for Permitted Groups, and select group synced from your Active Directory. In this example, we select DuoGroup.
    • To permit access for all users, select Enable for All Users.

      By default, no users are assigned to the application. This setting applies to only users who exist in Duo with the Active status.

  6. From the Metadata section, copy the value of the Metadata URL parameter. You need this URL to Complete SAML Authentication Server Setup.
  7. In the Service Provider section,from the Metadata Discovery drop-down list, select None (Manual Input).

    8. Screenshot of Duo, SSO Service Provider settings

  8. In the Entity ID text box, paste the SAML Entity ID you copied from the SAML 2.0 Configuration page in the Configure a WG-Auth Firewall Policy section.
  9. In the Assertion Consumer Service (ACS) URL text box, paste the Assertion Consumer Service (ACS) URL you copied from the SAML 2.0 Configuration page in the Configure a WG-Auth Firewall Policy section.
  10. In the Single Logout URL text box, paste the Single Logout Service (SLS) URL you copied from the SAML 2.0 Configuration page in the Configure a WG-Auth Firewall Policy section.
  11. In the SAML Response section, from the NameID Format drop-down list, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
  12. From the NameID Attribute drop-down list, select <Email Address>.
  13. From the Signature Algorithm drop-down list, select SHA256.
  14. Select the Sign Response and Sign Assertion check boxes.
  15. In the Assertion Encryption section, select the Encrypt the SAML Assertion check box.
  16. For Existing Certificate, click Browse to upload the X.509 Certificate you downloaded from the SAML 2.0 Configuration page in the Configure a WG-Auth Firewall Policy section.
  17. From the Assertion Encryption Algorithm drop-down list, select AES256-CBC.

    18. Screenshot of Duo, SAML Assertion encryption

  18. (Optional) If you want to use user authentication, skip to Step 21.
  19. For Map Attributes:
    1. From the IdP Attribute drop-down list, select memberOf.
    2. In the SAML Response Attribute text box, type memberOf.

    20. Screenshot of Duo, SAML Map Attributes

    For SAML Response Attribute, memberOf is the default Group Attribute Name in the IdP settings when you enable SAML on the Firebox when configuring an authentication server on Firebox. You can edit it as you want.

  20. Keep the default values for all other settings.
  21. Click Save.

Complete SAML Authentication Server Setup

To complete SAML authentication server setup on your Firebox:

  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080
  2. From the navigation menu, select Authentication > Servers.
  3. Select SAML.
    The SAML page opens.

    4. Screenshot of Firebox, Firebox Auth Server IdP Metadata URL

  4. In the IdP Metadata URL text box, paste the value of the Metadata URL parameter you copied in the Configure the Authentication Portal as a Service Provider in Duo section.
  5. Click Save.

Test the Integration

To test your Firebox Authentication Portal integration with Active Directory and Duo, you can authenticate with three methods:push, passkey, or phone call). In this example, we use the push authentication method. For more information about Duo Two-Factor Authentication, go to Two-Factor Authentication Guidelines in the Duo documentation.

To test multi-factor authentication for your Authentication Portal with Active Directory and Duo:

  1. In a web browser, go to the Authentication Portal:
    https://<Host Name of Firebox SAML Authentication Server>:4100
    The login page appears with a button for the SAML authentication server you configured.

    2. Screenshot of Authentication Portal, test Duo 001

  2. To log in, click the button for the SAML Authentication server. In this example, we click Duo-SAML.
  3. In the Email Address text box, enter the Active Directory user email address with the Permitted Email Domains verified in Duo SSO.

    Screenshot of Duo SSO

  4. Click Next.
  5. In the Password text box, type your user password.
  6. Click Log in.
    Duo SSO prompts you to complete two-factor authentication

    7. Screenshot of Duo push notification message

  7. Approve the push notification on your Duo Mobile app.
  8. Tap Yes, This is My Device.
    You are logged in to the Authentication Portal.

    9. Screenshot of Duo "Is This Your Device?" message

    Screenshot of successful authentication message in Authentication Portal