Configuring OneLogin as an SMA Authentication Server

10/22/2020 5 3960

DESCRIPTION:

This article provides step-by-step instructions to configure SonicWall Secure Mobile Access 1000 series appliance with OneLogin cloud-based Identity Provider.

RESOLUTION:

Prerequisites

SAML being time-sensitive protocol, enable NTP service on SMA appliance (Services -> Network Services -> NTP) to avoid any time related issues.

To add the SMA application to the OneLogin service:

1. Choose Applications -> Applications top-menu.
2. Click on the Add App button.
3. Search for Sonicwall VPN and select Sonicwall VPN (SAML2.0) application.

   

   

   
   

4. Provide a friendly application name.
5. The logo can be changed.
6. Click on the Save button at the top-right corner.
7. Open Configuration menu again.

   

8. Under Appliance details, provide Workplace FQDN without a trailing slash (Eg: https://vpn.example.com) (Note: This configuration should match the Endpoint FQDN configuration chosen under SAML Authentication server at SMA-1000 appliance.)
9. Click on the Save button.
10. Click on the SSO option on the left menu.

    

11. Under X.509 Certificate section, right-click on View Details and open on new window.
12. Now, under X.509 Certificate, select X.509 PEM option and download the certificate.
13. Go back to application browser tab.
14. Note Issuer URL value.
15. Note SAML 2.0 Endpoint (HTTP) value.

To configure OneLogin as an SMA Authentication Server:

To upload the OneLogin PEM certificate downloaded from OneLogin portal,

1. Go to SSL Settings -> CA Certificates -> certificates -> Edit.
2. Select the OneLogin certificate file.Before importing, under USAGE section, select SAML message verification option and disable all other options.
3. Click Import button.

Make a note of the certificate name.

To Configure OneLogin as authentication server,

1. Click Authentication Servers on left pane-> Click New.
2. Select SAML 2.0 Identity Provider under the USER STORE.
3. Add a friendly name for OneLogin SAML IdP.
4. Add the Appliance ID of OneLogin (Eg: https://vpn.example.com) with no trailing slash.
5. Add Server ID as Issuer URL value noted from OneLogin configuration.
6. Add the Authentication service URL as SAML 2.0 Endpoint (HTTP) value noted from OneLogin configuration.
7. Logout service URL is optional -  configure this option if the user has to log out from OneLogin after logging out of SMA.
8. Under Trust the following certificate select OneLogin certificate.
9. Under Endpoint FQDN, select the FQDN that is provided at OneLogin (vpn.example.com).
10. Click Save and apply the pending changes.

This SAML authentication server can be used in a realm for authentication.