Microsoft Entra ID SAML Authentication with Firebox Mobile VPN with SSL Integration Guide

Deployment Overview

The SAML authentication server in Fireware 12.11 or higher can integrate with several services. After you configure the SAML authentication server on the Firebox, you can use it to integrate with Mobile VPN with SSL.

This integration guide describes how to set up SAML authentication through the Mobile VPN with SSL with Microsoft Entra ID as the Identity Provider.

For information about the integration end result, go to the Test the Integration section.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Azure portal administrator credentials
  • WatchGuard Firebox with Fireware v12.11 or higher
  • WatchGuard Mobile VPN with SSL client
  • A fully qualified domain name (FQDN) that can resolve the external IP address of Firebox

Additional charges might apply for the use of Microsoft Entra ID.

Test Topology

Microsoft Entra ID communicates with various cloud-based services and service providers with the SAML protocol. This integration uses Microsoft Entra ID to communicate with WatchGuard Firebox over a public Internet connection.

Screenshot of Topology diagram

Enable the Firebox SAML Authentication Server

To enable the Firebox SAML authentication server:

  1. Log in to Fireware Web UI at:https://<your Firebox IP address>:8080
  2. From the left navigation, select Authentication > Servers.

    3. Screenshot of Firebox, Firebox Auth Server setup 1

  3. Select SAML.
    The SAML settings page opens.
  4. Check Enable SAML.
  5. In the IdP Name text box, type a name for the identity provider. In our example, we type Entra_ID_SAML.
  6. In the Host Name text box, type an FQDN that resolves to the Firebox external interface.
  7. Keep the IdP Metadata URL text box blank for now, we add the IdP settings later.

    8. Screenshot of Firebox, Firebox Auth Server setup 2

  8. Click Save.

Configure Firebox Mobile VPN with SSL

To configure Mobile VPN with SSL on the Firebox:

  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080
  2. From the left navigation, select VPN > Mobile VPN.
  3. In the SSL section, click Manually Configure.
  4. Select the Activate Mobile VPN with SSL check box.
  5. In the Primary text box, type the FQDN that resolves to the Firebox external interface. This is the domain name that Mobile VPN with SSL clients connect to by default and must be the same as the Host Name you configure in the SAML authentication server configuration.

    6. Screenshot of Firebox, Firebox Access Portal config 1

  6. Select the Authentication tab.
  7. In the Authentication Server Settings section, from the Authentication Servers drop-down list, select the SAML authentication server you created. For our example, we select Entra_ID_SAML.
  8. Click Add to add it to the Authentication Server list.

    9. Screenshot of Firebox, Firebox Access Portal config 2

  9. Click Save.
  10. Copy the SP Metadata URL, then click Done.
    The Update IdP configuration page appears.

    11. Screenshot of Firebox, Firebox Access Portal config 3

  11. Open a web browser and go to the SP Metadata URL:
    https://[Host name or Firebox IP address]/auth/saml
    The SAML 2.0 Configuration page opens.
  12. Make sure you have this SP information from Option 2. You use this information when you configure Entra ID:
    • SAML Entity ID in this format:
      https://<host name>/auth/saml
    • Assertion Consumer Service (ACS) URL in this format:
      https://<host name>/auth/saml/acs
    • Single Logout Service (SLS) URL in this format:
      https://<host name>/auth/saml/sls
    • Download the X.509 Certificate.

    13. Screenshot of Firebox, Firebox SAML SP info

Configure Microsoft Entra ID

To configure Microsoft Entra ID, complete these steps:

  1. Create a Microsoft Entra ID group and user
  2. Configure a SAML application

Create a Microsoft Entra ID Group and User

To create a group in Microsoft Entra ID:

  1. Log in to the Azure portal with your Microsoft Azure account credentials.
  2. Click Microsoft Entra ID.
  3. From the left navigation, click Manage > Groups.
  4. Click New Group.
  5. From the Group Type drop-down list, select Security.
  6. In the Group Name text box, type a descriptive group name. For our example, we type sslvpn_group.
  7. From the Membership Type drop-down list, select Assigned.

    8. Screenshot of Entra ID, Azure new group setup 1

  8. Keep the default value for other settings.
  9. Click Create.

To create a user in Microsoft Entra ID:

  1. Log in to the Azure portal with your Microsoft Azure account credentials.
  2. Click Microsoft Entra ID.
  3. From the left navigation, click Manage > Users.
  4. Click New User > Create New User.
  5. From the Basics tab, provide the user information.

    6. Screenshot of Entra ID, Azure new user setup 1

  6. From the Assignments tab, click Add Group to assign the user to the group you created.

    7. Screenshot of Entra ID, Azure new user setup 2

  7. Click Review + Create.
  8. Click Create.

Configure a SAML Application

To configure a SAML application in Microsoft Entra ID:

  1. Log in to the Azure portal with your Microsoft Azure account credentials.
  2. Click Microsoft Entra ID.
  3. From the left navigation, click Manage > Enterprise applications.
  4. Click New Application.
  5. Click Create your own application.
  6. In the What's the name of your app? text box, type a descriptive name. For our example, we type Firebox SSLVPN SAML.
  7. For What are you looking to do with your application?, select Integrate any other application you don't find in the gallery (Non-gallery).

    8. Screenshot of Entra ID, Azure SAML app setup 1

  8. Click Create.
  9. From the left navigation, click Manage > User and Groups.
  10. Click Add user/group.
  11. From Users and Groups, click None Selected to assign users and groups to this application. For our example, we select the group we created.

    12. Screenshot of Entra ID, Azure SAML app setup 2

  12. Click Select.
  13. Click Assign.

    14. Screenshot of Entra ID, Azure SAML app setup 3

  14. From the left navigation, click Single sign-on.
  15. For Select a single sign-on method, select SAML.

    16. Screenshot of Entra ID, Azure SAML app setup 4

  16. For the Basic SAML Configuration, click Edit.
  17. Specify these settings:

    18. Identifier (Entity ID)

    https://<your Firebox host name>/auth/saml

    The name on the WatchGuard Firebox SAML 2.0 Configuration page is SAML Entity ID.

    Reply URL (Assertion Consumer Service URL)

    https://<your Firebox host name>/auth/saml/acs

    The name on the WatchGuard Firebox SAML 2.0 Configuration page is Assertion Consumer Service (ACS) URL.

    Logout Url (Optional)

    https://<your Firebox host name>/auth/saml/sls

    The name on the WatchGuard Firebox SAML 2.0 Configuration page is Single Logout Service (SLS) URL.

    Screenshot of Entra ID, Azure SAML app setup 5

  18. Click Save, then click to close the Basic SAML Configuration page.
  19. In the Test Single sign-on dialog box, click No, I'll test later.
  20. In the Attributes & Claims section, click Edit.

    21. Screenshot of Entra ID, Azure SAML app setup 6

  21. Click Add a group claim to configure the group authentication for Mobile VPN with SSL.
  22. For Which groups associated with the user should be returned in the claim?, select Groups assigned to the application.
  23. From the Source attribute drop-down list, select Cloud-only group display names.
  24. Click to expand the Advanced options, then select Customize the name of the group claim.
  25. In the Name (required) text box, type memberOf.

    26. Screenshot of Entra ID, Azure SAML app setup 7

  26. Click Save, then click to close the Attributes & Claims page.
  27. For the SAML Certificates section, copy the App Federation Metadata Url. You need this URL to complete the SAML authentication server configuration on the Firebox.
  28. From the left navigation, click Security > Token Encryption.
  29. Click Import Certificate to upload the X.509 Certificate you downloaded in the previous section.
  30. Click for the certificate, then click Activate Token Encryption Certificate.
  31. From the Activate token encryption certificate dialog box, click Yes.

    32. Screenshot of Entra ID, Azure SAML app setup 8

Complete SAML Authentication Server Setup

From Fireware Web UI:

  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080
  2. From the left navigation, select Authentication > Servers.
  3. Select SAML.
  4. In the IdP Metadata URL text box, paste the value of the App Federation Metadata Url you copied from the previous section.

    5. Screenshot of Entra ID, Firebox Auth Server setup 3

  5. Click Save.

Complete Firebox Mobile VPN with SSL Setup

From Fireware Web UI:

  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080
  2. From the left navigation, select Authentication > Users and Groups.
  3. Click Add.
    The Add User or Group page appears.

    4. You can add a user for user authentication or a group for group authentication. In our example, we add a group for group authentication. If you want to add a user, the user name must be the same as the user name in Microsoft Entra ID.

  4. For Type, select Group.
  5. In the Name text box, type a name for the group. The group name must be the same as the group you create and assign to the SAML application in Microsoft Entra ID.
  6. From the Authentication Server drop-down list, select the authentication server where the user or group exists.

    7. Screenshot of Firebox, Firebox Access Portal config 6

  7. Click OK.
  8. Click Save.
  9. From the left navigation, select VPN > Mobile VPN.
  10. From the SSL section, click Configure.
  11. Click the Authentication tab.
  12. From the Users and Groups section, select the groups or users you created. For this example, we select the group sslvpn_group.

    13. Screenshot of Firebox, Firebox Access Portal config 7

  13. Click Save.

Test the Integration

To test the integration of Entra ID SAML authentication with Mobile VPN with SSL:

  1. Open the Mobile VPN with SSL client.
  2. In the Server text box, type the FQDN that resolves to the Firebox external interface.
  3. Select the Use SAML Authentication check box.

    4. Screenshot of Access Portal, Integration test 1

  4. Click Connect.
  5. On the Microsoft Sign in page, type the Microsoft Entra ID user name, and click Next.

    6. Screenshot of Access Portal, Integration test 2

  6. Type the Microsoft Entra ID user password, and click Sign In.

    7. Screenshot of Access Portal, Integration test 3

  7. Click Yes to stay signed in.

    8. Screenshot of Access Portal, Integration test 4

    After a successful authentication, you connect to the VPN.

    Screenshot of Access Portal, Integration test 5