Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

SMA 1000: SAML Identity Provider Service Configuration Guide

07/14/2020 28 People found this article helpful 191,256 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    This document gives the steps to configure SMA 1000 series appliance as SAML Identity Provider and how to add SAML supported applications to do single-sign on and control access. Below are steps in general:

    1) Enable SAML Identity Provider service

    2) Configure SAML Application

    3) Add SAML Application as SMA Resource

    Resolution

    Prerequisite:

    SAML is time-sensitive protocol and will require your appliance clock to be accurate. You can also enable NTP service to sync appliance clock with NTP server. To do so, go to Services - Network Services - NTP and enable. Provide NTP server details and click Save.

    Enable SAML Identity Provider Service:

    1. Go to Services - SAML Identity Provider - Configure                                                                                                                         Image                                                                       
    2. Enable the service
    3. Provide the Entity ID of IdP, which in general will be in URL format. Ex.: https://workplace.company.com
    4. Choose a Workplace site for Endpoint FQDN option, on which service providers (SAML applications) should send SAML requests to IdP.

      NOTE: You can either create a dedicated workplace site to act as IdP site or use existing Workplace site.

    5. Certificate to sign IdP messages are chosen automatically.
    6. Click Save.
    7. Now, you can export SAML metadata of this Identity Provider by clicking Export button. This metadata contains endpoints and signing certificate of SMA IdP. This can be imported on your SAML Applications to configure IdP endpoints and certificates.

    Configure SAML Application:

    This section explains what you need to configure at external web applications. Assuming your Endpoint FQDN of SMA SAML IdP service as workplace.company.com:

    1. The appliance endpoint receiving SAML login request from SAML Applications is https://workplace.company.com/samlserver/sso/spinit
    2. The certificate used by SMA to sign SAML Assertions can be downloaded by clicking Download button across Signing certificate option on SAML Identity Provider service configuration page.
    3. Alternatively, you can also import the IdP metadata XML file exported from above page, if your SAML Application has such option.

    Add SAML Application as SAML Resource:

    Each web application that trusts SMA SAML IdP should be added to SMA as SAML service provider resource. Below steps describes how to add the SAML service provider resource:

    1. Go to Resources - New - SAML service provider.                                                                                              Image             
    2. Provide a friendly name and description.
    3. Provide the entity ID of this SAML application under Entity ID field. Ex.: https://example.company.com
    4. Provide the login/SSO/Assertion Consumer service URL of this SAML application.
    5. Select "Create shortcut on workplace" to place a shortcut to this application on workplace home page. Start page URL should be provided under SP initiated SSO mode. (refer Step 10.b)
    6. Expand Advanced section if you want to change default values.                                                                              Image                                          
    7. Choose Name ID format as needed by this SAML application. Ex.: Email address.
    8. Compose the subject Name ID required by this SAML application. You can also use {Variable} button. Ex.: {Session.userName}@company.com
    9. If this SAML Application signs the SAML requests,
      1. Enable Verify Service Provider messages option.
      2. Select the certificate to be used to verify this SAML application messages.

        NOTE: This certificate must be imported already under SSL Settings - CA certificates.

    10. SMA SAML IdP supports both service-provider initiated and IdP-initiated login (SSO).
      1. If this application supports only IdP-initiated SSO, select Identity Provider initiated option under "SSO Initiation Mode". This will place a shortcut on Workplace home page which a user can click to login to this application. You can optionally provide a Relay state value if this application needs one.
      2. If this application supports Service provider initiated login, you can also provide a start page for this application which will be shown on Workplace home page. If "Create shortcut on workplace" option is enabled, this field is mandatory. This URL is stored as start-page of the shortcut; to modify this URL after resource creation, go to shortcut page -> this shortcut -> Advanced.
    11. If this application needs extra attributes other than NameID, you can configure them under SAML Attributes section.                                                                                    Image                                                   
    12. Click New (+) to provide attribute names and values. You can also use {Variable} to send any session variable.
    13. To send an AD attribute you can go to Resources page and select Resource Variable tab to create a variable with value as any AD attribute. You can do post-processing on this value too before sending to this SAML Application, like search/replace a string in value, refer Admin guide for more details. Then, select this variable as value under SAML attributes. 
    14. When you add multiple values with same attribute Name, they will be sent as multi-valued attribute.
    15. Click Save.

    You can add this SAML service provider to a resource group like any other internal resources and create Access rules. When users log into Workplace, they should see a shortcut to this SAML application, if they have access permissions.

    When user reaches SMA for authentication, SMA will evaluate access-rules before sending SAML Assertion to application. When allowed, they should be able to successfully log in to SAML applications. Otherwise, they will see Access Denied page.

    Related Articles

    • How to secure Virtual Office portal from all external access
    • Lost Admin Password Recovery for SMA500v
    • Same syslog source for all SMA devices

    Categories

    • Secure Mobile Access > SMA 1000 Series > Authentication

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top