The SAML IDP (Security Assertion Markup Language Identity Provider) option enables user authorization using a Single Sign-On (SSO) system deployed in the organization, such as Microsoft Active Directory Federation Service. With this method, a user who has been authorized in the SSO system (and not logged out since) will be transparently authorized on all resources that support SAML authentication. UserGate can be configured as a SAML service provider that uses SAML IDP servers for client authorization.
A SAML IDP server cannot provide a list of local user properties to UserGate, therefore, if you have not configured AD domain connection through an LDAP connector, only users of types Known (those who successfully authenticated with the SAML server) and Unknown (those who were not authenticated) can be used in filtering policies.
ADFS configuration
To configure authorization using an SAML IDP server, follow these steps:
Task |
Description |
---|---|
Step 1. Create DNS records for the UserGate server. |
On the domain controller, create a DNS record corresponding to the UserGate server to be used as the auth.captive domain (e.g., utm.domain.loc). Point it to the IP address of a UserGate interface connected to the Trusted network. |
Step 2. Configure DNS servers in UserGate. |
In the UserGate settings, set the domain controller's IP addresses as the system DNS servers. |
Step 3. Change the Captive portal auth domain address. |
In the General settings section, change the Captive portal auth domain address to the DNS record created in the previous step. For more details on changing the captive portal's Auth domain address, see the section General Settings. |
Step 4. Configure the SAML IDP server. |
You can find article about Microsoft ADFS configuration on the Microsoft website. On the SAML IDP server, add a record on the UserGate service provider specifying the FQDN created at Step 1. Configuring ADFS the link of the following format https://<adfs-server>/federationmetadata/2007-06/federationmetadata.xml containing configuration and ADFS certificate will be generated. The link is needed to configure SAML IDP server on UserGate NGFW. |
Step 5. Create the SAML IDP user authentication server. |
Create the SAML IDP user authentication server in UserGate. |
UserGate configuration
To do that, go to the Users and devices --> Auth servers section, click Add, select Add SAML IDP server and follow these steps:
Task |
Description |
---|---|
Step 1. Fill in the SAML metadata URL field. |
SAML metadata URL is a path obtained in result of ADFS configuration to upload xml file contained correct configuration for SAML service provider. You should also fill in other fields except SAML SP metadata URL (the field will be displayed after the server properties saved). |
Step 2. Click Upload. |
At the same time, the required fields for setting up the authentication server are filled in with the data obtained from the xml file. After saving, the SAML SP metadata URL field will be automatically filled. |
Step 3. Transfer UserGate NGFW metadata to ADFS. |
Open the SAML IDP server properties and copy automatically generated UserGate metadata file link (the SAML SP metadata URL field). Transfer required data to ADFS server using the link (upload this file to ADFS). |
This method is the preferred method when configuring a SAML IDP authentication server.
The parameters of the authentication server are listed below:
Name |
Description |
---|---|
Enabled |
Enables or disables the use of this authentication server. |
Server Name |
The name of the authentication server. |
Description |
Auth server description. |
SAML metadata URL |
The URL on the SAML IDP server from where an XML file with a valid configuration for this SAML service provider (client) can be downloaded. When you click Upload, the relevant authentication server settings fields will be populated with the data from that XML file. This is the preferred method of configuring a SAML IDP authentication server. For more details, see the documentation for your SAML IDP server. |
SAML IDP certificate |
The certificate that will be used on the SAML client. The available options are:
|
Single sign-on URL |
The URL that is used on the SAML IDP server as the single login point. For more details, see the documentation for your SAML IDP server. |
Single sign-on binding |
The method used to work with a SSO single login point. Options: POST and Redirect. For more details, see the documentation for your SAML IDP server. |
Single logout URL |
The URL used on the SAML IDP server as the single logout point. For more details, see the documentation for your SAML IDP server. |
Single logout binding |
The method used to work with a SSO single logout point. Options: POST and Redirect. For more details, see the documentation for your SAML IDP server. |