SSLVPN SAML Authentication and Firewall Management

Description

SAML (Security Assertion Markup Language) Authentication is a standardized protocol that enables secure Single Sign-On (SSO) between an identity provider (IdP) and a service provider (SP). Instead of managing separate credentials, users authenticate once with the IdP, which issues a digitally signed assertion containing the user’s identity and access rights. The SP consumes this assertion to grant access without directly handling passwords, improving security, centralizing authentication, and simplifying user access across multiple applications.

Steps to enable SAML Authentication for SSLVPN are described in How to configure SAML SSO on firewall for SSLVPN login using Azure AD as IdP?
while steps to enable SAML for Firewall Management are descibed here How to configure SAML for SonicWALL firewall administration using OKTA as IdP?

Cause

Once authenticated with SAML, NetExtender is connected and able to reach the Firewall Management IP
The username field is already provided and can't be changed, as excepted.
Image

The User is reported as member of "SonicWall Administrators" group
Image

However the firewall can't be accessed for the following reasons:
a) by clicking on Image disconnect the NetExtender, session will be reconnected. This is happening because a new SAML authentication process is initiated, since the SAML SSLVpn Profile has been used.

b) If the SAML password for the SSLVPN user is entered and Image is clicked, the error is reported Image because there is no local user matching the SSLVPN User.



Resolution

When an SSLVPN client connects using SAML authentication, the user is successfully validated by the Identity Provider (IdP) and gains network access. The appliance’s internal management IP becomes reachable, confirming the tunnel is established. However, access to the appliance’s management interface still requires a corresponding local user account that matches the authenticated SAML identity. Without this local user mapping, the SAML-authenticated session cannot be used to log in to the appliance itself, even though network connectivity is in place. 

So, the workaround is to create a Local User matching the SAML username member of SonicWall Administrators group.
Image

A local user with admin privilege is also needed for re-auth to login to the Firewall Management

Related Articles

  • SSH password authentication fails after OpenSSH upgrade
    Read More
  • Where can I download SonicWall stencils?
    Read More
  • Configuring High Availability Monitoring settings
    Read More

Categories

Firewalls
NSa Series
SSLVPN
Firewalls
NSsp Series
SSLVPN
Firewalls
NSv Series
SSLVPN
Firewalls
SonicWall NSA Series
SSLVPN
Firewalls
TZ Series
SSLVPN
not finding your answers?
Ask the Community
Chat