OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (2024)

Deployment Overview

You can configure Single Sign-On to use SAML authentication and enable your users to log in through one portal and get access to multiple services.

This document describes how to set up SAML authentication through the WatchGuard Access Portal with OneLogin as the Identity Provider.

Integration Summary

Hardware and Service Versions:

  • OneLogin
  • Firebox with Fireware v12.7

Test Topology

This integration uses OneLogin Portal to communicate with a WatchGuard Firebox over a public internet connection.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (1)

Configure Your Firebox

Because the WatchGuard Access Portal is a subscription service, before you can enable the Access Portal feature and configure it on your Firebox, you must add an Access Portal license to your Firebox feature key.

To configure the Access Portal settings on your Firebox for OneLogin:

  1. Log in to Fireware Web UI.
  2. Select Subscription Services > Access Portal.
    The Access Portal page appears with the Applications tab selected by default.
  3. Select the Enable Access Portal check box.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (2)

  1. Select the SAML tab.
    The SAML tab appears.
  2. Select the Enable SAML check box.
  3. In the Service Provider (SP) Settings section, type the IdP Name and Host Name.
    You add the IdP settings later in this process.
    • IdP Name — Specify a name for the SAML authentication to appear in other Firebox settings as the server name.
    • Host Name — Specify the fully qualified domain name that resolves to the Firebox external interface.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (3)

  1. Select Save.
  2. Go to https://<host name>/auth/saml.
  3. Make sure you have this information from the /auth/saml page:
    • SAML Entity ID in this format: https://<host name>/auth/saml.
    • Assertion Consumer Service (ACS) URL in this format: https://<host name>/auth/saml/acs.
    • Single Logout Service (SLS) URL in this format: https://<host name>/auth/saml/sls.
    • Copy the certificate.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (4)

Configure OneLogin

To import the information from the WatchGuard Web UI and to get the IdP Metadata URL:

  1. Log in to your OneLogin Administration account.
  2. Select Applications > Applications > Add App.
  3. In the search text box, type SAML Test Connector.
    A list of connector options appears.
  4. Select SAML Test Connector (Advanced).

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (5)

  1. On the Portal page, in the Display Name text box, type a descriptive name.
  2. To enable your users to see the configuration in the portal, select Visible in portal. Select an icon option and upload the icon:
    • Rectangular Icon
    • Square Icon

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (6)

  1. Click Save.
  2. From the navigation, select the Configuration tab.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (7)

  1. Specify these settings:

RelayState

Leave blank.

Audience

https://<your host name>/auth/saml

The label in the Access Portal pages is SAML Entity ID.

Recipient

https://<your host name>/auth/saml/acs

The label in the Access Portal pages is Assertion Consumer Service (ACS) URL.

ACS (Consumer) URL Validator

https://<your host name>/auth/saml/acs

The label in the Access Portal pages is Assertion Consumer Service (ACS) URL.

ACS (Consumer) URL:

https://<your host name>/auth/saml/acs

The label in the Access Portal pages is Assertion Consumer Service (ACS) URL.

Single Logout URL

https://<your host name>/auth/saml/sls

  1. From the SAML signature element drop-down list, select Assertion.
  2. Select the Encryption assertion check box.
  3. From the SAML encryption method drop-down list, select AES-256-CBC.
  4. Keep the default values for all other settings.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (8)

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (9)

  1. Click Save.
  2. Select the Configuration tab.
  3. In the SAML Encryption section, for the Public key, paste the certificate you copied from the WatchGuard SAML 2.0 Configuration for WatchGuard Access Portal.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (10)

  1. Select the Parameters tab.
  2. In the Credentials are section, select Configured by admin.
  3. Verify that the NameID value setting is Email.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (11)

  1. Click +, in the Field name text box, type memberOf. In our example, we use group authentication, if you want to use user authentication, skip steps 20–24.
  2. Select the Include in SAML assertion check box.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (12)

  1. Click Save.
  2. From the Value drop-down list, select MemberOf.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (13)

  1. Click Save.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (14)

  1. Select the SSO tab.
  2. From the SAML Signature Algorithm drop-down list, select SHA-256.
  3. Copy the value of Issuer URL.
    You will add this URL in the SAML configuration under the IdP Metadata URL.
  4. To enable assumed sign-in, select the Allow assumed users to sign into this app check box.
  5. Keep the default values for all other settings.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (15)

  1. Click Save.
  2. To create a group for users, select Users > Groups > New Group.
  3. In the Untitled Group text box, type a descriptive name for the group.
  4. From the Security policy drop-down list, select Default policy.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (16)

  1. Click Save.
  2. To add a user in OneLogin, select Users > Users > New User.
    You can add your own user information.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (17)

  1. Click Save User.
  2. Select Users > Users and select the user you created.
  3. Select the Authentication tab, from the User security policy drop-down list, select Default policy.
  4. Select the Applications tab, in the Applications section, click +.
  5. From the Select application drop-down list, select SAML Test Connector (Advanced) you created.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (18)

  1. Click Continue.
  2. Select the Allow the user to sign in check box.
  3. Verify the value of NameID value is the email address of the user you created.
  4. In the memberOf text box, type the group name you created.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (19)

  1. Click Save.
  2. Click Save User.

Complete the WatchGuard SAML Setup

From Fireware Web UI:

  1. Select Subscription Services > Access Portal.
  2. Select the SAML tab.
  3. In the IdP Metadata URL text box, paste the value of Issuer URL you copied from the OneLogin setup.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (20)

  1. Click Save.
  2. Select Authentication > Users and Groups.
  3. Click Add.
    The Add User or Group page appears. You can add a user or a group. In our example, we add a group. If you want to add a user, the user name must type the user's email address.
  4. For Type, select Group.
  5. In the Name text box, type a name for the group. The group name must be the same as the group name of memberOf on OneLogin.
  6. From the Authentication Server drop-down list, select the authentication server where the user or group exists.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (21)

  1. Click OK.
  2. Click Save.
  3. To add an application to the access Portal, select Subscription Services > Access Portal.
  4. In the Applications section, click Add. In our example, select the Web Application.
  5. In the Name text box, type a description name.
  6. In the URL text box, type the url address.
  7. Click OK.
  8. Click Save.
  9. Select the User Connection Settins tab.
  10. In the User Access section, select Specify the applications available to each user and group.
  11. Click Add.
  12. From the Authentication Server drop-down list, select the authentication server.
  13. From the Type drop-down list, select Group.
  14. In the Name text box, type the group name. The group name must be the same as the group name of memberOf on OneLogin.
  15. Select the applications that are available to this group.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (22)

  1. Click OK.
  2. Click Save.

Test the Integration

After you have completed these configuration steps, users in the group you added can sign in to either the OneLogin account or to a resource configured with OneLogin Single Sign-On.

  1. Type the URL for the portal in this format: https://<host name>.
    The Log In page appears with the name of the SAML portal you configured at the top of the page.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (23)

  1. To log in, click the name of the SAML portal. In this example, we click My_OneLogin.
  2. Complete the authentication process in OneLogin.
    After successful authentication, the user can get access to the resource.

Give Us FeedbackGet SupportAll Product DocumentationTechnical Search

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.

OneLogin SAML Authentication with WatchGuard Access Portal Integration Guide (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Stevie Stamm

Last Updated:

Views: 6342

Rating: 5 / 5 (60 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Stevie Stamm

Birthday: 1996-06-22

Address: Apt. 419 4200 Sipes Estate, East Delmerview, WY 05617

Phone: +342332224300

Job: Future Advertising Analyst

Hobby: Leather crafting, Puzzles, Leather crafting, scrapbook, Urban exploration, Cabaret, Skateboarding

Introduction: My name is Stevie Stamm, I am a colorful, sparkling, splendid, vast, open, hilarious, tender person who loves writing and wants to share my knowledge and understanding with you.