:orphan: ************************** SonicWall SAML Integration ************************** Introduction ************ This article describes how to configure SonicWall to work with AuthControl Sentry. .. include:: HowToCreateSAMLKeysOnCMI.rst .. include:: CheckPasswordWithRepositoryLocalAgent.rst Setup SSO on SonicWall ********************** To configure SSO setting on your SonicWall account you have to create a new authentication server on your Admin console. You should see an screen similar to the one below: .. image:: images/Integration/SAML/SonicWall/SonicWallConfig2.png You will need to select SAML 2.0 and Username/Password as Credential Type. Then click Continue. .. image:: images/Integration/SAML/SonicWall/SonicWallConfig1.png * "Name" - Type an arbitrary name * "Appliance ID" - \https://YOURDOMAIN this value will need to match with the Entity ID attribute specified on the SonicWall application configured in Sentry Set the Login, Logout and Change password URLs below, where is the public DNS entry of your AuthControl Sentry server, e.g. swivel.mycompany.com or if you do not have a redirect from port 443 to 8443 in place, you may need to include a port number e.g. swivel.mycompany.com:8443 * "Authentication service URL" - \https:///sentry/saml20endpoint * "Logout service URL" - \https:///sentry/singlelogout * "Trust the following certificate" - You will need to import the RSA PEM file created earlier on Sentry Once you have entered all the details above, click Save. Setup AuthControl Sentry Application definition *********************************************** .. note:: You must have setup a SonicWall SSO prior to defining this Application entry within AuthControl Sentry. This is so that you are able to populate the Endpoint URL field. Login to the AuthControl Sentry Administration Console. Click Applications in the left hand menu. To add a new Application definition for SonicWall, click the Add Provider button. .. image:: images/Integration/SAML/SonicWall/SonicWallApplication.jpg * "Name:" SonicWall * "Image:" SonicWall.png (selected by default) * "Points:" 100 (the number of points the user needs to score from their Authentication Method in order to successfully authenticate to this Application) * "Endpoint URL:" \https://sonicwall.yourdomain/saml2ssoconsumer * "Portal URL:" (this Portal URL is your SonicWall FQDN which you can usually access on: \https://sonicwall.yourdomain) * "Entity ID:" \https://sonicwall.yourdomain (it needs to match with the value defined on SonicWall Appliance ID attribute) * "Federated id:" email Setup AuthControl Sentry Authentication definition ************************************************** As an example here we will be using Turing authentication as the Primary method required for SonicWall authentication. Login to the AuthControl Sentry Administration Console. Click Authentication Methods in the left hand menu. Click the Edit button against the Turing option in the list of Authentication Methods. Give this Authentication Method 100 points. This will mean that when a login attempt is made to the SonicWall Application, this Authentication Method will be offered during login. Testing authentication to SonicWall *********************************** This should be the final step after all previous elements have been configured. You can visit your AuthControl Sentry Page with your public DNS entry of your Swivel AuthControl Sentry server, e.g. \https://mycompanysentrydomain/sentry/startPage On the Start Page you will be able to see a new SonicWall Icon on which you can click and proceed with authentication (as you would by going straight to the SonicWall page) .. image:: images/Integration/SAML/SonicWall/SentryStartup4.jpg When you visit this URL you will notice that the domain should redirect to the identity provider login URL that you setup, once you have submitted your username. You should be presented with the page of the Authentication Method which can score enough points to match the points required by the SonicWall Application definition. In this login example we are using the email as a username .. image:: images/Integration/SAML/SonicWall/SonicWallUsername.jpg After we enter the username we are prompted with another authentication method (in this example we use turing) .. image:: images/Integration/SAML/SonicWall/SonicWallTuring.jpg After we enter our authentication credentials we successfully will see the SonicWall that we tried to access. Troubleshooting *************** There are various logging components available for this particular integration which can aid in diagnosis at different points during authentication. * The Swivel Core has a Log Viewer menu item which can reveal information concerning user status e.g. is the user locked, has a session been started for the image request; * The Swivel AuthControl Sentry has a View Log menu item which provides details about the SAML assertion and response received from SonicWall and can be useful for comparison with the SonicWall SAML Assertion Validator output; It is crucial when troubleshooting, to pinpoint where the authentication is failing. For example, you may find that the Swivel Core logs show a successful authentication (which would indicate that the user has entered their Password and OTC correctly), but the AuthControl Sentry logging shows that there is a problem with the SAML assertion. Some common issues which can be diagnosed with the validator are: * Certificate or decryption issues; * Can AuthControl Sentry find the Certificate locally, is it the correct one? * Has the correct Certificate been uploaded to SonicWall? * Does the Repository -> Attribute name being used actually map to a Repository attribute? Has a User Sync occurred in the Swivel Core since modifying this?