SonicWall CSE: Single Sign On using SAML2.0

Description

For security reasons, SonicWall Cloud Secure Edge (CSE) handles Admins and Users completely separately.
Admins manage access control security policies via the Command Center and API.
Users use their Devices to access Services that are secured by CSE’s enforcement components. To manage users, refer to the articles on configuring IDPs.

Admin access to the Command Center can be configured for Single Sign On Identity Provider via the SAML2.0 protocol. Follow the instructions for a generic SAML IDP, or see step-by-step instructions for Okta and Azure AD.

 

Single Sign On using SAML2.0

Overview #

Admin access to the Command Center can be configured for Single Sign On Identity Provider via the SAML2.0 protocol. Most SSO SAML providers can be configured following these instructions, however you can also review step-by-step instructions for Okta and Azure AD.

Steps #

1. Configure your SAML2.0 Identity Provider (IdP) #

In your IDP, enter the following values so Cloud Secure Edge (CSE) is set up as a Service Provider (SP).

A) Single Sign On URL

The CSE Org Settings page will provide you a Single Sign On (SAML ACS) URL of the form https://net.banyanops.comapi/v1/sso?orgname=your_org_name.

Place this parameter where your IdP asks for:

  • Assertion Consumer Service URL (also called Recipient or Single Sign On URL)
  • Service Provider Entity ID (also called Audience URI or Service Provider Issuer)

B) Assertion Subject Statements

CSE uses your email address as your username, so set that in the Assertion Subject Statements.

  • Name ID Format should be EmailAddress
  • Application Username should be Email

C) Other Notes

Some IdP’s ask for the Service Provider Certificate - this is used to verify the signature of SAML requests, but it is safe to skip this step.

2. Configure your Org Setting in the Command Center #

In the Command Center, in the Org Settings page, set the Identity Provider to SAML 2.0. Then, enter the following details.

A) Identity Provider Metadata

You can enter either your Identity Provider’s Metadata URL or the “raw” Metadata XML file from your Identity Provider.

CSE will automatically obtain the IDP SSO URL, IdP Entity ID, IdP x.509 Certificate, IdP Issuer URL and other parameters needed to set up SAML 2.0.

B) Identity Provider Issuer URL

As a configuration check, also provide the IDP Issuer URL.

C) Save the configuration

Click on the “Update Settings” button to save the configurations.

D) (Optional) Set the Admin Profiles

By default, admins who access the Command Center using SAML are assigned a “ReadOnly” profile. You can update their profile in the Org Settings section of the Command Center.

 

Single Sign On using SAML2.0 - Okta

Overview #

Admin access to the Command Center can be configured for Okta via the SAML2.0 protocol.

Steps #

Please review Okta’s guide for additional information.

1. Add “Command Center Application” to your Okta Organization

1.1 Log in to your Okta admin console, and then navigate to Applications and click Add Application.

1.2 Search for “Banyan” and then select the option Command Center.

1.3 On the app overview page, click Add.

1.4 On the General Settings page, select Done.

2. Assign Okta users and/or groups

2.1 Assign the Okta users and/or groups who will access the Command Center.

3. Note the Okta IdP Settings and enter them in the Banyan Command Center

3.1 Navigate to the Sign On tab and then right-click the Identity Provider metadata link to note the URL (which you will enter in the Command Center in step 3.5).

3.2 Select the Identity Provider metadata link to open the metadata contents in a new browser tab.

3.3 From the metadata contents, note the Entity URL or ID (which you will enter in the Banyan Command Center in step 3.5).

3.4 Log into the Banyan Command Center, and navigate from Settings > Identity and Access tab > Admin tab.

3.5 Set Sign-On Method to Single Sign On - SAML 2.0 and then enter the IdP details from Okta:

  • For IDP Issuer URL, enter the Entity URL or ID noted in step 3.3.
  • For IDP Metadata URL, enter the Identity Provider metadata URL noted in step 3.1.

3.6 Select Update.

3.7 Copy the Org Name, which will be used in step 3.9.

3.8 In the Okta admin console, select the Sign On tab for the Command Center app, then click Edit.

3.9 Scroll down to the Advanced Sign-on Settings and then enter the Org Name noted in step 3.7.

3.10 Select Save.

4. (Optional) Set the Admin Profile in the Org Settings section

By default admins who access the Command Center using SAML are assigned a “ReadOnly” profile. You can update their profile in the Org Settings section of the Command Center.

 

Single Sign On using SAML2.0 - GSuite

Overview #

Admin access to the Command Center can be configured for GSuite via the SAML2.0 protocol.

Steps #

Please review Google’s guide for additional information.

1. Add a Cloud Secure Edge Admin app to your GSuite org:

1.1 In your GSuite Admin account, navigate from Apps > Web & mobile apps, and select Add App.

1.2 Select Add Custom SAML app.

2. Enter App details:

2.1 Enter your app’s name (e.g., Cloud Secure Edge Admin) and description, then select Continue.

3. Enter Google Identity Provider details:

3.1 In the Command Center, navigate from Admin Sign On > Sign On Settings, and then select SAML as the single sign on method.

3.2 Copy the GSuite Entity ID (under Option 2: Copy the SSO URL, entity ID, and certificate), and paste the value into the IDP Issuer field in the Command Center Sign on Settings.

3.3 Download the GSuite IDP metadata (under Option 1: Download IdP metadata), and open the downloaded metadata with a text editor. Copy the contents of downloaded file and paste into the IDP Raw metadata field in the Command Center Sign on Settings. Ensure that you remove any trailing spaces in the copied contents of the file.

4. Enter Service provider details:

4.1 Copy SP issuer and entity ID from CSE Sign on Settings and paste into the ACS URL and Entity ID fields in your GSuite admin account respectively, then select Continue.

5. Add Attribute mapping:

5.1 Select ADD MAPPING and then select Primary email as a Google directory attribute, and enter Primary email as the App attribute. Then, select Finish.

6. Test SAML Login:

6.1 Ensure that access is turned on for desired user groups in your org by selecting the Service Status (i.e. OFF for everyone). Select ON for everyone or turn on for selected Groups, and then Save.

6.2 Select Test SAML Login and verify that logging into CSE works.

 

Single Sign On using SAML2.0 - Entra ID (formerly Azure AD)

Overview #

Admin access to the Command Center can be configured for Entra ID via the SAML2.0 protocol.

Steps #

Please review Azure AD’s guide for additional information.

1.1 Log in to your Entra ID Portal, and then navigate to Enterprise Applications and select New application.

1.2 Search for “Banyan” and then select the Banyan Command Center option.

1.3 On the app overview page, select Create.

2. Assign users and groups #

2.1 On the Overview page, select 1. Assign users and groups under Getting Started.

2.2 Assign the users and/or groups who will access the Banyan Command Center.

3. Set up single sign on #

3.1 In the Command Center, navigate from Settings > Identity and Access tab > Admin tab. Note the Redirect URL (SAML ACS) in the form of https://net.banyanops.com/sso?orgname=your_org_name. You will use this value in Step 3.5.

Replace “your_org_name” with your org name used in the Command Center.

3.2 In the Azure AD Overview page, click 2. Set up single sign on under Getting Started.

3.3 Under Select a single sign-on method, select SAML.

3.4 Under Step 1 Basic SAML Configuration, click Edit.

3.5 Enter the URL copied from step 3.1 for the values below:

  • Identifier (Entity ID)
  • Assertion Consumer Service URL

3.6 Save.

4. Verify your User Attributes & Claims #

4.1 Cloud Secure Edge (CSE) uses your email address as your username attribute. Verify your User Attributes & Claims that will be presented to CSE. The Name ID Format should map to Email address or user principal name.

5. Configure your Org Setting in the Command Center #

5.1 In the Azure AD Portal, navigate back to the SAML-based Sign-on configuration page.

5.2 Under Step 3 SAML Signing Certificate, copy the App Federation Metadata Url.

5.3 Under Step 4 Set up the Command Center, copy the Azure AD Identifier. This URL should start with https://sts.windows.net

5.4 In the Command Center, navigate from Settings > Identity and Access tab > Admin tab.

5.5 In Sign-on Settings, set Sign-On Method to Single Sign On - SAML 2.0.

5.6 Enter the IdP Issuer URL (from step 5.3). The URL should start with https://sts.windows.net

5.7 Enter the IDP Metadata URL (from step 5.2). The IDP Metadata URL should start with https://login.

CSE will automatically obtain the IdP SSO URL, IdP Entity ID, IdP x.509 Certificate, and other parameters needed to set up SAML 2.0 with Azure AD.

5.8 Select Update to save the configuration.

6. (Optional) Set the Admin Profile in the Org Settings section #

By default admins who access the Command Center using SAML are assigned a “ReadOnly” profile. You can update their profile and change permissions by navigating to Manage Admins and clicking on the admin user in the Banyan Command Center.

Related Articles

  • Authorization Error: Unregistered user device with email
    Read More
  • CSE provisioning never completes when MySonicWall Company name does not start with a letter
    Read More
  • Routing Cloud Secure Edge (CSE) Traffic to Remote Sites via Site-to-Site VPN
    Read More

Categories

Cloud Secure Edge
not finding your answers?
Ask the Community