How to configure SAML for SonicWALL firewall administration using OKTA as IdP?

SAML is an XML-based open standard for Single-Sign-On (SSO) that eliminates the need for application-specific passwords. SAML enables secure authentication and authorization between Identity Providers (IdPs) and Service Providers (SPs).

SonicOS 7.2 introduces SAML 2.0 Support for Management Access, User Authentication, and SSLVPN authentication.

In this article, we will demonstrate how to configure SAML authentication for firewall management in SonicOS 7.2. While we use Okta as the Identity Provider (IdP) in this example, the steps can be adapted for any SAML-compliant IdP.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Please refer to the following steps while configuring SAML authentication for firewall management.

Configuring the SAML Service Provider (SP).

• Navigate to DEVICE | Users > Settings - Authentication
  
  
• Under SAML CONFIGURATION, click Configure on the SAML Service Provider.
  
  
  
  
• On the SAML Service Provider dialog box, click Add
  
  
  
  
• In the SAML Service Provider dialog box, enter the following information, click Save. and then Close the dialog box:
  
  
  • In the Name field, enter the name of the service provider.
    
    
  • In the Type drop-down, select the type of identifier for the service provider.
    
    
    • IP: If you want the SP URLs (such as identifier/entity ID URL, ACS URL) to be generated based on the IP address, use the IP. This corresponds to the firewall interface IP, which is associated with the service.
      
      
    • Domain: If you want the SP URLs, such as the identifier/entity ID URL and the ACS URL, to point to a specific domain, select Domain. Make sure that you have the necessary DNS configuration in place to link this to the firewall interface IP associated with the service
      
      
  • In the Address Object drop-down, select the address object associated with the service provider/Firewall interface.
    
    
  • In the Service drop-down, select HTTPS Management.
    
    
    
    NOTE: The information you configure for the Service Provider will help generate the following inputs needed on the IDP side.
    -Identifier ID, also known as Entity ID
    -Reply URL, also known as ACS URL. 

• Click Close to exit the SAML Service Provider dialog box.
  
  

Exporting Service Provider (SP) Metadata.

• Click the configure button next to SAML Service Provider
  
  
  
  
• In the SAML Service Provider dialog box, click Export SP Metadata for the Service Provider.
  
  
  
  
• Enter the SAML Profile Name in the Export SP Metadata dialog box and click Export. The SP Metadata XML file will download. We can use the SP Metadata to configure the SP details on the IdP.
  
  
  
  NOTE: When setting up the actual SAML profile later, ensure that you use the same SAML profile name. 

• Close the SAML Service Provider dialog box.
  
  

Configuring the Identity Provider (IdP).

• Log In to your Okta Admin Console.
  
  
• Navigate to Directory | People. Click Add person.
  
  
  
  
• Fill in the details of the User who will act as a Firewall Administrator and Save. If you already have the User(s) created, you can skip this step.
  
  
  
  
• Under Directory | Groups, create a group and name it SonicWALL Administrators. 
  
  NOTE: The Group name should exactly match the SonicWALL Administrators group name on the firewall, as we will send the group name as an attribute to the firewall, and that is how SonicWall will grant Administrator privileges to the admin user 
  
  
  
  
• Click on Assign People. A new window will open that will list all the users created on Okta.
  
  
  
  
• Click the + icon next to the fw admin user to assign it to the SonicWALL Administrators Group. Click Done after this.
  
  
  
  
• Under Applications | Applications, click Create App Integration.
  
  
  
  
• Select SAML 2.0 on the next page and click Next.
  
  
  
  
• Under the App Name field, add a name for the App, and then click Next.
  
  
  
  
• Open the SP Metadata file that we exported under the Exporting Service Provider (SP) Metadata section above. Note the entityID URL and the ACS URL from the metadata file.
  
  
• On Okta, add the following:
  
  
  • Under the Single sign-on URL, add the ACS URL.
    
    
  • Leave the Use this for Recipient URL and Destination URL checkbox enabled.
    
    
  • Under the Audience URI, add the entityID URL.
    
    
  • For Name ID format, choose Transient.
    
    
    
    
• Under Attribute Statements (optional), add the following:
  
  
  • Under the Name field, add username
    
    
  • Under the Value field, select user.email.
    
    
• Under Group Attribute Statements (optional), add the following:
  
  
  • Under the Name field, add group.
    
    
  • Under Filter, set the Dropdown to Starts with and add SonicWALL Administrators in the Text Box.
    
    
• Click Next.
  
  
  
  
• For the App type, select This is an internal app that we have created, and click Finish.
  
  
  
  
• On the Right-hand side, under the SAML setup, click View SAML setup instructions, and a new page will open.
  
  
  
  
• On the new page, scroll to the bottom of the page. Under the Optional section, copy all text to a notepad and save it as an XML file.
  
  
  
  
• Click Assignments | Assign. You will see 2 options: Assign to People and Assign to Groups. Select one as per your preference.
  
  
  
  
• Assign the fw admin (if you selected Assign to People) or Assign SonicWALL Administrators group (if you selected Assign to Groups). For this example, I am going to assign the fw admin user.
  
  
  
  
• Confirm the Username on the next page and click Save and Go Back.
  
  
  
  
• Click Done.
  
  

Configuring  SAML Identification Provider on the firewall.

• Navigate to DEVICE | Users > Settings - Authentication.
  
  
• Under SAML CONFIGURATION, click Configure on the SAML Identification Provider.
  
  We can configure the SAML Identity Provider in either of the following ways:
  
  
  • Import from File
    
    
  • Add Manually
    
    
    
    
• On the SAML Identification Provider dialog box, click Import from File.
  
  
  
  
• Add a name under the Name field and select Add File, and choose the SAML Setup Instructions XML file that was copied from Okta. Click Next.
  
  
  
  
• You will get a pop-up saying Restart Required. You can Cancel the pop-up and choose to restart later.
  
  
• You will notice Name, SAML IDP Server ID, Authentication Service URL, and Certificate auto-populated.
  
  
  
  
• Open Okta Admin Console, Navigate to Applications | Applications. Click the Application that we created. Under the Sign On tab, you will see a Sign out URL, Copy it.
  
  
  
  
• On the Firewall SAML Identification Provider dialog box, add the copied URL under the Logout Service URL.
  
  
• Under User Name Attribute, add username.
  
  
• Under Group Name Attribute, add group. 
  
  
• Click Save.
  
  
  
  
• Click Close to exit the SAML Identification provider dialog box.
  
  
  
  

Configuring SAML Profile on the firewall.

• Navigate to DEVICE | Users > Settings - Authentication.
  
  
• Under SAML CONFIGURATION, click Configure on the SAML Profile.
  
  
  
  
• A SAML Profile dialog box will open. Click Add.
  
  
  
  
• In the next window, add the Name for the SAML Profile. For this example, we will use X1_FW_MGMT.
  
  NOTE: Ensure that you use the same SAML profile name that was used while exporting SP Metadata under the Exporting Service Provider (SP) Metadata section above.  
  
  
• Select the IdP under the Select IdP field. For this example, we will select X1_FW_MGMT from the dropdown.
  
  
• Select the SP under the Select SP field. For this example, we will select X1_MGMT from the dropdown.
  
  
• Use a certificate to sign SP request. This protects the SP connections associated with the IdP, using your own certificate. This is optional.
  
  NOTE: The certificate needs to be imported before configuring the SAML profile. 
  
  
• Enable Single Logout. You can choose to enable it or leave it disabled. This allows a user to be logged out from all SAML-connected applications and sessions when they log out from one.
  
  
• Enable this profile for HTTPS Management. This enables the profile.
  
  
• Click Save after configuring the above settings. You will see a success message at the top.
  
  
  
  
• On the SAML Profile dialog box, you will see the newly created profile. Click Close.
  
  
  
  

Additional Checks.

• Ensure HTTPS Management and HTTPS User Login are enabled on the interface configured under the Service Provider. For our example, we will check the configurations for the X1 Interface.
  
  Navigate to NETWORK | System > Interfaces and Edit the Interface.
  
  
  
  
• Under the MANAGEMENT and USER LOGIN, make sure HTTPS is enabled. Click OK if you make any changes.
  
  
  
  
• Ensure that the SAML profile is enabled for Management.
  
  Navigate to DEVICE | Settings > Administration - Management. Click on SAML Profiles.
  
  
  
  
• SAML Profiles For Management dialog box will open. Make sure the profile that you have created is enabled. Click Apply if you make any changes.
  
  
  
  

Log In test.

• Open the GUI for the firewall. For this example, I will use the X1 IP and try to log in externally. Click on the Single Sign On option.
  
  
  
  
• The browser will redirect, and the IdP authentication page will open. For this example, the Okta login page will open. Use the administrator account that has been created for managing the firewall to Sign In. If you have set up 2FA on the IdP, please add the 2FA code as well.
  
  After successful authentication on the IdP, you will see the SonicWall Session Status window. You will be able to see the logged-in user. It will also show the privileges of the user. Click Manage to open the firewall management.
  
  
  
  
• Under DEVICE | Users > Status - Users, you will be able to see the SAML user logged in. It will also show the  PRIVILEGE SETTING.
  
  
  
  
• Navigate to MONITOR | Logs > System Logs. You will be able to see the following logs: