Skip to main content

SonicWall SMA 1000 Series 11.4 (IdP-initiated) Integration Guide (SAML)

Introduction

Use this guide to enable Multi-Factor Authentication and Single Sign-on (SSO) access via SAML 2.0 to Dell SonicWall SMA 1000 Series 11.4.

Prerequisites

1. Have SonicWall SMA 1000 Series 11.4 and access to the administrator console

2. Create a New Realm in the SecureAuth IdP Web Admin for the SonicWall integration

3. Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

  • Overview – the description of the realm and SMTP connections must be defined

  • Data – an enterprise directory must be integrated with SecureAuth IdP

  • Workflow – the way in which users will access this application must be defined

  • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

SecureAuth IdP Configuration Steps

Post Authentication

44831397.png

1. Select SAML 2.0 (IdP Initiated) Assertion Page from the Authenticated User Redirect dropdown in the Post Authentication tab in the Web Admin

2. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/SAML20IdPInit.aspx)

User ID Mapping

44832709.png

3. Select Authenticated User ID from the User ID Mapping

In typical scenarios, the Authenticated User ID is sent; however, if the SonicWall ID is contained in a different SecureAuth IdP Property, select that value from the dropdown

4. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default)

Select a different option if SonicWall requires it, which the Service Provider (SP) provides

5. Select False from the Encode to Base64 dropdown

SAML Assertion / WS-Federation

44832749.png

6. Set the SAML Consumer URL to the Fully Qualified Domain Name (FQDN) of the SonicWall appliance, followed by /saml2consumer, e.g. https://sonicwall.domain.com/saml2consumer

7. Set the WSFed/SAML Issuer to the FQDN of the SonicWall appliance, e.g. https://sonicwall.domain.com

8. Set the SAML Recipient to the FQDN of the SonicWall appliance

9. Set the SAML Audience to the FQDN of the SonicWall appliance

10. Set the SAML Offset Minutes to make up for time differences between devices

11. Set the SAML Valid Hours to limit for how long the SAML assertion is valid

12. Select True from the Sign SAML Assertion dropdown

Note

No configuration is required for the WSFed Reply To/SAML Target URL or SP Start URL fields

70489017.png

13. Leave the Signing Cert Serial Number as the default value, unless there is a third-party certificate being used for the SAML assertion

If using a third-party certificate, click Select Certificate and choose the appropriate certificate

14. Download the Assertion Signing Certificate, which is used in the SonicWall Configuration Steps

Warning

Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes

Forms Auth / SSO Token

Optionally, in the Forms Auth / SSO Token section, click the View and Configure FormsAuth keys/SSO token link to configure the token/cookie settings and configure this realm for SSO.

44833086.png

SonicWall Configuration Steps

44832756.png

1. Log into the SonicWall administrator console, and select Authentication Servers under System Configuration

2. Click New... at the top to create a new Authentication Server

New Authentication Server

44832754.png

3. Select SAML 2.0 Identity Provider from the Authentication directory options

4. Select Username / Password from the Credential type options

5. Click Continue...

Configure Authentication Server

44832755.png

6. Set the Name to a friendly name of the integration, e.g. SecureAuth IdP SAML

7. Set the Appliance ID and the Server ID to the FQDN of the SonicWall appliance, e.g. https://sonicwall.domain.com

This must be the same value as the WSFed/SAML Issuer value set in the SecureAuth IdP Web Admin (step 7)

8. Set the Authentication Service URL to the FQDN of the SecureAuth IdP appliance, followed by the SonicWall-integrated realm (configured above), e.g. https://secureauth.company.com/secureauth2

9. (OPTIONAL) Set the Logout Service URL to the FQDN of the SecureAuth IdP appliance, followed by the SonicWall-integrated realm and /logout.aspx, e.g. https://secureauth.company.com/secureauth2/logout.aspx

10. Select the Assertion Signing Certificate from the SecureAuth IdP Web Admin (step 14) from the Trust the Following Certificate dropdown

If the certificate has not been uploaded onto the appliance, click here to configure the certificate upload

11. Unselect Sign AuthnRequest message using this certificate

12. Click Save