How to configure SAML SSO on firewall for SSLVPN login using Azure AD as IdP?

Security Assertion Markup Language (SAML) is an XML-based open standard used for Single-Sign-On (SSO) that eliminates the need for application-specific passwords. SAML enables secure authentication and authorization between Identity Providers (IdPs) and Service Providers (SPs).

SonicOS 7.2.0 introduces SAML 2.0 support for the following Single Sign-On use cases.

1. User Identity
2. Firewall Administration or Management Access
3. Remote Access VPN (SSLVPN)

Learn more about this feature in SonicOS 7.2 SAML Feature Guide.

This article shows how to configure SAML Authentication for SSLVPN login using Azure AD as Identity Provider (IdP).

To configure SAML on firewall for SSLVPN login with Azure AD as the IdP, follow these steps:

A. Configure SAML Service Provider on firewall and export SP metadata
B. Configure IdP and export IdP metadata
C. Configure SAML IdP on firewall
D. Configure SAML Profile on firewall
E. Configure SSLVPN to use SAML for authentication

A. Configure SAML Service Provider on firewall and export SP metadata

1. Navigate to DEVICE | Users > Settings > SAML CONFIGURATION and click on the Configure button next to SAML Service Provider.
   
   
   
2. Click Add.
   
   
   
   
3. In the SAML Service Provider dialog box, enter the following information. 
   
   a. Name: Enter the name of the service provider.
   b. Type: From the drop-down, select the type of identifier for the service provider. 
   - IP: If you want the SP URLs (such as identifier/entity ID URL, ACS URL) to be generated based on the IP address, use the IP. This corresponds to the firewall interface IP, which is associated with the service. 
   - Domain: If you want the SP URLs, such as the identifier/entity ID URL and the ACS URL, to point to a specific domain, select Domain. Make sure that you have the necessary DNS configuration in place to link this to the firewall interface IP associated with the service. 
   c. Address Object: From the drop-down, select address object associated with the service provider/Firewall interface.
   d. Service: From the drop-down, select the type of service that can utilize SAML for authentication. 
   - HTTPS Management: Use this service to configure SAML for firewall administration or to enable SAML SSO for user identity via ULA. 
   - SSLVPN: Use this service for authenticating users via SAML when they connect through SSLVPN. This applies to both client applications (like NetExtender or Mobile Connect) and when accessing the Virtual Office Portal.
   
   In this article we are going to use:
   
   Name: X1_SSLVPN_Azure
   Type: IP
   Address Object: X1 IP
   Service: SSL VPN (4433)
   
   
   
   NOTE: The information you configure for the Service Provider will help generate the following inputs needed on the IDP side.
   -Identifier ID, also known as Entity ID
   -Reply URL, also known as ACS URL 
4. Click Save.
5. Click on Export icon to export the SP Metadata.
   
   
   
   
6. Enter the SAML Profile Name and click on Export and save the file on your PC.
   
   
   
   NOTE: When setting up the actual SAML profile later (Section D), ensure that you use the same SAML profile name. 
   
   
7. Close the SAML Service Provider dialog box.
   
   
8. The exported metadata downloads as an XML file. We will need the entityID and Location information from this file when configuring the Azure AD IdP in the next section B.
   
   
   
   

B. Configure IdP and export IdP metadata

1. Login to Azure portal (portal.azure.com) and search for Enterprise applications.
2. Click on New application.
   
   
3. Click Create your own application.
   
   
   
   
4. Enter the App Name and Create a Non-gallery Application.
   
   
   
   
5. Click on Get started link for Set up single sign on.
   
   
   
   
6. Select SAML.
   
   
   
   
7. Click on Edit for Basic SAML Configuration.
   
   
   
   
8. Open the SP metadata XML file which was exported from firewall in previous section A. 
   
    
   
   
9. Copy and paste the entityID and Location links as shown below and Save the changes.
   
   
   
   
10. Click on Edit for Attribute and Claims.
    
    
    
    
11. We can configure IdP to send user related information using attributes during authentication. In this KB, we are going to create 2 new claims. One for sending the username of the user and the second one to send user's group name.
    
    Click on Add new claim
    
    
    
    
12. Add the Name as username (make sure you are using the same name for "User Name Attribute" when configuring SAML IdP settings on firewall in next section C).
    Select the Source attribute as user.mail -> IdP will send the email of user as the username to firewall.
    
    NOTE: Select the Source attribute type as per your requirement. 
    
    
    
    
13. Click on Add a group claim.
    Select Groups assigned to the application
    From dropdown select Cloud-only group display names
    Under Advanced, add the Name as groupname. (make sure you are using the same name for "Group Name Attribute" when configuring SAML IdP settings on firewall in next section C).
    
    
    
    
14. Go back to Single sign-on tab and click on Download link for Federation Metadata XML and save this on your PC. This needs to be imported on firewall in the upcoming section C.
    
    
    
    
15. On Azure portal, search for Groups and navigate to All Groups.
    
    
    
    
16. Add a New group.
    
    
    
    
17. Name the group as SSLVPN Services and Create.
    
    NOTE: SSLVPN Services is the name of the default SSLVPN group on firewall. Users must be part of this group to be able to connect via SSLVPN. Create this new group on IdP and make the user part of this group. During SAML auth, IdP will send this group name to the firewall using the groupname attribute. 
    
    
    
    
18. On Azure portal, search for Users and navigate to All users. Select the user which you want to use for SAML.
    
    
    
    
19. Go to User's Groups tab and add it to the SSLVPN Services group.
    
    
    
    
    
    
20. Navigate back to SAML application and add the SSLVPN Services group to the application.
    
    

C. Configure SAML IdP on firewall

1. Navigate to DEVICE | Users > Settings > SAML CONFIGURATION and click on the Configure button next to SAML Identification Provider.
   
   
   
   
2. Click Import from file.
   
   
   
   
3. In the Import from File dialog box, click Add File.
   
   
4. Select the XML metadata file downloaded from your IdP server (Azure AD) in previous section B and click Open.
   
   
5. In the Name field, enter the name for the IdP profile. Click Next.
   
   
   
   
6. A Restart Required! message will show up because a CA cert was imported, which was part of the IdP metadata file. You can choose to restart the firewall later by clicking on Cancel.
   
   
   
   NOTE: Importing IdP XML metadata file from Azure AD auto populates the following fields (SAML IdP Server ID, ACS URL, Logout service URL and Certificate). User Name Attribute and Group Name Attribute need to be entered manually. User Name attribute is mandatory, and group name is optional.  
   
   
7. In the User Name Attribute field, enter the attribute name from IdP that maps to the user name.
   In the Group Name Attribute field, enter the attribute name from IdP that maps to the group name.
   In this article we are going to use User Name attribute as "username" and Group Name Attribute as "groupname" as we have configured the same names on Azure AD IdP in previous section B.
   
   
8. Click Save.
   
   
   
   
9. A pop-up message comes up informing about new Address Groups and Access Rules which will be automatically created. Click Continue.
   
   
   
   NOTE: To ensure users can access the IdP URLs and login screen, SonicOS will automatically create address objects and access rules for these URLs. If you wish to create the access rules manually, clear the checkbox Create Address Group and Access Rules for me.  
   
   
10. The Address Groups and Access Rules should be created successfully. Click OK.
    
    
    
    
11. Click Close.
    
    

D. Configure SAML Profile on firewall

1. Navigate to DEVICE | Users > Settings > SAML CONFIGURATION and click on the Configure button next to SAML Profile.
   
   
   
   
2. Click Add.
   
   
   
   
3. In the Name field, enter the SAML Profile name that was used while exporting SP metadata from firewall in section A. 
4. In the Select IdP field, select the identity provider.
5. In the Select SP field, select the service provider.
6. When you select the service provider, Enable on this profile for SSL VPN toggle becomes available. Leave it enabled.
   
   
   
   
7. Click Save. 
8. Click Close. 
   
   

E. Configure SSLVPN to use SAML for authentication

1. Navigate to NETWORK | SSL VPN > Server Settings
   
2. Set Authentication Type as SAML and click Accept.
   
   
   
   
3. Click the Configure button next to SAML Profile and make sure the required SSLVPN SAML profile is enabled.
   
   
   
   
4. On the Virtual Office Portal, there is no longer the need to enter the username or password. Clicking the LOG IN button redirects to IdP's login screen.
    
   
   
   
5. Enter the user credentials and 2FA verification (if configured on IdP) and complete the login process. 
   
   
   
   
6. Post successful authentication user can access the bookmarks. 
   
   
   
   
7. To connect using NetExtender client, go to NetExtender client machine and add a new SSLVPN connection. 
   
   
   
   
8. In the Connection field, click Add Connection...
   
   
9. In the Add Connection dialog box, enter Name and Server details.
   
   
10. Click Next.
    
    
    
    
11. In the Security Alert dialog box, click Trust. 
    
    
    
    
12. In the Add connection dialog box, under the Domain drop-down, select saml and click Save.
    
    
    
    
13. The NetExtender connection page is displayed. Click Connect. 
    
    
    
    
14. The Client browser will launch for the SAML login. 
    
    
    
    
15. Enter the user credentials and 2FA verification (if configured on IdP) and complete the login process. Following page will be shown after authentication is successful.
    
     
    
    
16. NetExtender connection status should show as Connected now. 
    
    
    
    
17. On Firewall, the logged in user will show as below,