SonicOS 7.2 SAML Feature Guide

Technical Documentation>  SAML>  Configuring SAML>  Configuring the SAML Identification Provider (IdP)
Table of Contents

Configuring the SAML Identification Provider (IdP)

To configure the SAML Identification Provider

  1. Navigate to Device > Users > Settings > SAML CONFIGURATION.

  2. Click the Configure button next to SAML Identification Provider.

    You can configure the SAML Identity Provider in either of the following ways:

    Import from File

  1. In the SAML Identification Provider dialog box, click Import from File.

  2. In the Import from File dialog box, click Add File.

  3. Select the XML metadata file downloaded from your IdP server and click Open.

    Most IdPs offer the option to download the IdP metadata in XML format.

  4. In the Name field, enter the name for the IdP profile.

  5. Click Next.

    A warning message displays “CA Certificate has been loaded before”.

  6. Click Ok.

    Most IdP XML metadata files contains a certificate of IdP provider.

    You will be prompted to restart the firewall; you can choose to restart the firewall later.

  7. Importing IdP XML metadata file auto populate some fields (SAML IdP Server ID, ACS URL, Certificate). If any URLs, such as the logout service URL, are missing, please fill them in manually. You can obtain this information from your IDP.

    User Name Attribute and Group Name Attribute need to be entered manually. User Name attribute is mandatory, and group name is optional.

  8. In the User Name Attribute field, enter the attribute name from IdP that maps to the user name.

  9. In the Group Name Attribute field, enter the attribute name from IdP that maps to the group name.


    The User Name Attribute identifies the user's login name in the SAML assertion, while the Group Name Attribute specifies their group, both pulled from the Identity Provider (IdP) during authentication. You must specify which attributes from the IdP correspond to the User Name and Group Name.
    You must configure the matching group names on the Firewall and the IdP to ensure that the authenticated user is part of the necessary groups. These groups can later be used in various security policies on the Firewall.
    For Example: when managing the firewall via SAML Single Sign-On (SSO), a user must have administrative privileges for authentication. To achieve this, the Identity Provider (IdP) should return a group name attribute that exactly matches the default group on the firewall, which is "SonicWall Administrators." Once the user is logged in and mapped to this group, they will gain admin privileges on the firewall. You can apply the same approach for other privileges on the firewall, such as the SSLVPN services group or any custom groups you wish to use in security policies after a user is identified via User Level Authentication (ULA).

  10. Click Save and follow step 11 from the Manual Configuration section.

    Manual Configuration

    If your IdP does not provide the configuration in an XML file, you can configure the IdP details manually.

    Before you start, ensure that you have imported the IdPs certificate into the firewall. For more information, see Importing IdP server certificate.

  1. In the SAML Identification Provider dialog box, click Add.

  2. Enter the following information.

  3. In the Name field, enter the name of the SAML Identification Provider.

  4. In the SAML IDP Server ID field, enter the Server ID of the SAML Identity Provider.

  5. In the Authentication Service URL field, enter the URL of the authentication service.

  6. In the Logout Service URL field, enter the URL of the logout service.

  7. In the User Name Attribute field, enter the attribute name from IdP that maps to the user name.

  8. In the Group Name Attribute field, enter the attribute name from IdP that maps to the group name.


    The User Name Attribute identifies the user's login name in the SAML assertion, while the Group Name Attribute specifies their group, both pulled from the Identity Provider (IdP) during authentication. You must specify which attributes from the IdP correspond to the User Name and Group Name.
    You must configure the matching group names on the Firewall and the IdP to ensure that the authenticated user is part of the necessary groups. These groups can later be used in various security policies on the Firewall.
    For Example: when managing the firewall via SAML Single Sign-On (SSO), a user must have administrative privileges for authentication. To achieve this, the Identity Provider (IdP) should return a group name attribute that exactly matches the default group on the firewall, which is "SonicWall Administrators." Once the user is logged in and mapped to this group, they will gain admin privileges on the firewall. You can apply the same approach for other privileges on the firewall, such as the SSLVPN services group or any custom groups you wish to use in security policies after a user is identified via User Level Authentication (ULA).

  9. In the Trusted Certificates field, select IDP server certificate.

  10. Click Save.
    A pop-up message displays group address and access rules specifically to LAN access control.

  11. Click Continue.


    To ensure users can access the IdP URLs and login screen, SonicOS will automatically create address objects and access rules for these URLs.
    For non LAN cases, or if wish to create the access rules manually, clear the checkbox Create Address Group and Access Rules for me.

  12. Click Next.

    On the SAML Identification Provider dialog box, the last entry displays the newly created IDP provider.

  13. Click Close.