How to apply CFS policies to SAML User Groups using OKTA as IdP?

SAML is an XML-based open standard for Single-Sign-On (SSO) that eliminates the need for application-specific passwords. SAML enables secure authentication and authorization between Identity Providers (IdPs) and Service Providers (SPs).

SonicOS 7.2 introduces SAML 2.0 Support for Management Access, User Authentication, and SSLVPN authentication.

In this article, we will demonstrate how to configure SAML authentication for User authentication. While we use Okta as the Identity Provider (IdP) in this example, the steps can be adapted for any SAML-compliant IdP.

Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

This article explains how to apply Content Filtering Service (CFS) policies to SAML-based user groups on a SonicWall firewall.

The configuration is divided into three sections for clarity:

• Configuring CFS policies for user groups
• Configuring SAML-based User Level Authentication and mapping SAML users to SonicWall user groups
• Configuring the Access Rule for ULA [User Level Authentication]

By the end of this article, you will be able to enforce CFS policies based on user groups when users authenticate through a SAML Identity Provider (IdP).

Configuring CFS policies for user groups

• Navigate to DEVICE | Users > Local Users & Groups - Local Groups
  
  
• Click Add group. A Pop-up screen will appear.
  
   
  
  
• Under GENERAL SETTINGS | Membership Settings, Select Members are set locally only. 
  
  
• Add the name for the Group. For this example, we are using Finance as the group name. Click Save. (Do not add any members to the Group)
  
  
  
  
• Navigate to OBJECT | Profile Objects > Content Filter. Click Add to create a new CFS Profile. A pop-up screen will appear. For more information on how to create CFS profile Objects, Action Objects, and URI lists, etc., please refer to CFS 4.0 Overview
  
  
  
  
• Under GENERAL CONFIGURATION, add a Name for the profile. For this example, I am using Finance CFS Profile.
  
  
  
  
• Under Category, Allow or Block the categories based on your requirements. For this example, I will block the Social Media/ Internet Communication Category.
  
  
  
  
• Navigate to the Advanced Tab and set the slider for Enable HTTPS Content Filtering to ON. Click Save to save the changes.
  
  
  
  
• Navigate to POLICY | Rules and Policies > Content Filter Rules. Click Add to create a new Policy. A Pop-up screen will appear.
  
  
  
  
• On the Add CFS Policy page, add the following:
  
  Name: The Name of the CFS Policy
  Source Zone: The Network Zone where the Users are located.
  Destination Zone: WAN
  Source Address Included: Any [You may select an Address Object/Group if you want to apply the Policy to specific IP addresses].
  Source Address Excluded: None [You may select an Address Object/Group if you do not want to apply the Policy to some IP addresses].
  User/Group Included: Finance [You may select a User/ User Group that you want to apply the Policy to]
  User/Group Excluded: None [You may select a User/ User Group if you do not want to apply the Policy to any User/ User Group]
  Schedule: Always On [You may change it based on your requirements]
  Profile: Finance CFS Profile [You can use the Profile that you have created.]
  Action: Default Action
  
  
  
  For more information on how to create CFS profile Objects, Action Objects, and URI lists, etc. please refer to CFS 4.0 Overview
  
  

Configuring SAML-based User Level Authentication and mapping SAML users to SonicWall user groups.

Configuring the SAML Service Provider (SP).

• Navigate to DEVICE | Users > Settings - Authentication.
  
  
• Under SAML CONFIGURATION, click Configure on the SAML Service Provider. A pop-up screen will appear.
  
  
   
  
  
• On the SAML Service Provider dialog box, click Add.
  
  
  

   

   

• In the SAML Service Provider dialog box, enter the following information:
  
  

  • • In the Name field, enter the name of the service provider.
      
      
    • In the Type drop-down, select the type of identifier for the service provider.
      
      
      • IP: If you want the SP URLs (such as identifier/entity ID URL, ACS URL) to be generated based on the IP address, use the IP. This corresponds to the firewall interface IP, which is associated with the service.
        
        
      • Domain: If you want the SP URLs, such as the identifier/entity ID URL and the ACS URL, to point to a specific domain, select Domain. Make sure that you have the necessary DNS configuration in place to link this to the firewall interface IP associated with the service.
        
        
    • In the Address Object drop-down, select the address object associated with the service provider/Firewall interface.
      
      
    • In the Service drop-down, select HTTPS Management. Click Save.
      
      
      
      For this example, I am using Name as X0_ULA, Address Object as X0 IP, Type as IP, and Service as HTTPS Management.
      
      
    •  In the SAML Service Provider dialog box, click Export. A Pop-up screen will appear.
      
      
      
      
    • Enter the SAML Profile Name in the Export SP Metadata dialog box and click Export. The SP Metadata XML file will download. We can use the SP Metadata to configure the SP details on the IdP.
      
       
      
      NOTE: When setting up the SAML profile later, ensure that you use the same SAML profile name.
      
      
  • Close the SAML Service Provider dialog box.
    
    

  Configuring the Identity Provider (IdP)

   

  • Log In to your Okta Admin Console.
    
    
  • Navigate to Directory | People. Click Add person. If you already have the User(s) created, you can skip this step.
    
    
     
  • Fill in the details of the User that will be authenticating via the ULA on the firewall.
    
    
    
    
  • Under Directory | Groups, Click Add group. A pop-up screen will appear.
    
    
    
    
  • In the Add Group Dialog box, specify the name for the Group and click Save.
    
    Note: The Group name should exactly match the group name on the firewall, as we will send the group name as an attribute to the firewall. This is how SonicWall will apply the group membership and the proper policies to the user.
    
    
    
    
  • Under Directory | Groups, click on the Group created. It will open the Group settings. For example, we will click on Finance.
    
    
  • Click on Assign People. A new window will open that will list all the users created on Okta.
    
     
    
    
  • Click the + icon next to the Fin One user to assign it to the Finance Group. Click Done after this.
    
     
    
    
  • Under Applications | Applications, click Create App Integration.
    
    
    
    
  • Select SAML 2.0 on the next page and click Next.
    
    
    
    
  • Under the App Name field, add a name for the App, and then click Next.
    
    
    
    
  • Open the SP Metadata file that we exported under the Exporting Service Provider (SP) Metadata section above. Note the entityID URL and the ACS URL from the metadata file.
    
    
  • On Okta, add the following:
    
    
    • Under the Single sign-on URL, add the ACS URL.
      
      
    • Leave the Use this for Recipient URL and Destination URL checkbox enabled.
      
      
    • Under the Audience URI, add the entityID URL.
      
      
    • For Name ID format, choose Transient.
      
      
      
      
    • Under Attribute Statements (optional), add the following:
      
      
      • Under the Name field, add username
        
        
      • Under the Value field, select user.email.
        
        
    • Under Group Attribute Statements (optional), add the following:
      
      
      • Under the Name field, add group.
        
        
      • Under Filter, set the Dropdown to Equals and add Finance in the Text Box.
        
        
    • Click Next.
      
      
      
      
    • For the App type, select This is an internal app that we have created, and click Finish.
      
      
      
      
  • On the Right-hand side, under the SAML setup, click View SAML setup instructions, and a new page will open.
    
    
    
    
  • On the new page, scroll to the bottom of the page. Under the Optional section, copy all text to a notepad and save it as an XML file.
    
     
    
    
  • Navigate back to the Application Integration that was created on the IdP.  Click Assignments | Assign. You will see 2 options: Assign to People and Assign to Groups. 
    
    
    
    
  • Select one as per your preference.  For this example, I will use Assign to People and Select Fin One User. Click Done.
    
    
    
    
  • Click Save and Go Back on the Next page, and then click Done.
    
    
    
    

  Configuring  SAML Identification Provider on the firewall.
  
  

  • Navigate to DEVICE | Users > Settings - Authentication.
    
    
  • Under SAML CONFIGURATION, click Configure on the SAML Identification Provider.
    
    We can configure the SAML Identity Provider in either of the following ways:
    
    
    • Import from File
      
      
    • Add Manually
      
      
      
      
  • On the SAML Identification Provider dialog box, click Import from File.
    
    

    
    
    

  • Add a name under the Name field and select Add File, and choose the SAML Setup Instructions XML file that was copied from Okta. Click Next.
    
     
    
    
  • You will notice the SAML IDP Server ID, the Authentication Service URL, and the Certificate auto-populated.
    
     
    
    
  • Open Okta Admin Console, Navigate to Applications | Applications. Click the Application that we created. Under the Sign On tab, you will see a Sign out URL. Copy it.
    
    

   

• On the Firewall SAML Identification Provider dialog box, add the copied URL under the Logout Service URL.
  
  
• Under User Name Attribute, add username.
  
  
• Under Group Name Attribute, add group. 
  
  
• Click Save.
  
  
  
  
• You will see a Pop-up screen mentioning that the necessary Address Groups and Access rules will be created. Click Continue and then OK on the next page.
  
  
  
  
• You might get a pop-up saying Restart Required. You can Cancel the pop-up and choose to restart later.
  
  
  
  

Configuring SAML Profile on the firewall.

• Navigate to DEVICE | Users > Settings - Authentication.
  
  
• Under SAML CONFIGURATION, click Configure on the SAML Profile.
  
  
  
  
• A SAML Profile dialog box will open. Click Add.
  
  
  
  
• In the next window, add the Name for the SAML Profile. For this example, we will use X0_ULA.
  
  NOTE: Ensure that you use the same SAML profile name that was used while exporting SP Metadata. 
  
  
• Select the IdP under the Select IdP field. For this example, we will select X0_ULA_Auth from the dropdown.
  
  
• Select the SP under the Select SP field. For this example, we will select X0_ULA from the dropdown.
  
  
• Use a certificate to sign SP request. This protects the SP connections associated with the IdP, using your own certificate. This is optional.
  
  NOTE: The certificate needs to be imported before configuring the SAML profile. 
  
  
• Enable Single Logout. You can choose to enable it or leave it disabled. This allows a user to be logged out from all SAML-connected applications and sessions when they log out from one.
  
  
• Enable this profile for HTTPS Management. This enables the profile.
  
  
• Click Save after configuring the above settings. You will see a success message at the top.
  
  
  
  
• On the SAML Profile dialog box, you will see the newly created profile. Click Close.
  
  
  
  

Configuring the Access Rule for ULA [User Level Authentication].

• Navigate to POLICY | Rules and Policies > Access Rules.
  
  
• From the Matrix Select LAN to WAN.
  
  
  
  
• Edit the Rule. Navigate to Users & TCP/UDP.
  
  From the dropdown, choose Trusted Users for the Include Field.
  
  Enable the checkbox Authenticate via SAML.
  
  For the SAML Profile, select the SAML profile created. For this example, we will use X0_ULA.
  
  Click Save.
  
  
  
  

Testing CFS Policies:

• Open a web browser and try accessing any website.  For this example, I am trying to access example.com
  
  You will notice a certificate error if you do not have a TLS certificate applied to the firewall management IP address. Click Proceed at the bottom of the page.
  
  
  
  
• You will notice an Authentication Required Prompt. Click on Click here to log in.
  
  
  
  
• You will see the Identity Provider (IdP) Authentication Page. Authenticate using the User created on the IdP. We will use Fin One for this example.
  
  
  
  
• After successful authentication, you will see a Pop-up for the same.
  
  
• Try accessing facebook.com, and you will see the block page as the Social Networking Category is blocked under the CFS Profile.
  
  

Additional Checks.

• Ensure HTTPS User Login is enabled on the interface configured under the Service Provider. For our example, we will check the configurations for the X0 Interface.
  
  Navigate to NETWORK | System > Interfaces and Edit the Interface. 
  
  
  
  
• Under the USER LOGIN, make sure HTTPS is enabled. Click OK if you make any changes.
  
  
  
  
• For confirmation whether the User Group Attribute is passed from IdP to the Firewall [SP] once the user is logged in. Navigate to DEVICE | Users > Status.
  
  You will see the SAML user Logged In. Hover the Mouse pointer on the User Groups section for the User, and you should see the Group name that was assigned on IdP.