Configuring OneLogin as an SMA Authentication Server

Description

This article provides step-by-step instructions to configure SonicWall Secure Mobile Access 1000 series appliance with OneLogin cloud-based Identity Provider.

Resolution

Prerequisites

SAML being time-sensitive protocol, enable NTP service on SMA appliance (Services -> Network Services -> NTP) to avoid any time related issues.


To add the SMA application to the OneLogin service:


  1. Choose Applications -> Applications top-menu.
  2. Click on the Add App button.
  3. Search for Sonicwall VPN and select Sonicwall VPN (SAML2.0) application.

    Image

    Image


  4. Provide a friendly application name.
  5. The logo can be changed.
  6. Click on the Save button at the top-right corner.
  7. Open Configuration menu again.

    Image

  8. Under Appliance details, provide Workplace FQDN without a trailing slash (Eg: https://vpn.example.com) (Note: This configuration should match the Endpoint FQDN configuration chosen under SAML Authentication server at SMA-1000 appliance.)
  9. Click on the Save button.
  10. Click on the SSO option on the left menu.

    Image

  11. Under X.509 Certificate section, right-click on View Details and open on new window.
  12. Now, under X.509 Certificate, select X.509 PEM option and download the certificate.
  13. Go back to application browser tab.
  14. Note Issuer URL value.
  15. Note SAML 2.0 Endpoint (HTTP) value.


To configure OneLogin as an SMA Authentication Server:


To upload the OneLogin PEM certificate downloaded from OneLogin portal,


  1. Go to SSL Settings -> CA Certificates -> certificates -> Edit.
  2. Select the OneLogin certificate file.Before importing, under USAGE section, select SAML message verification option and disable all other options.
  3. Click Import button.

Make a note of the certificate name.

Image

To Configure OneLogin as authentication server,

Image

  1. Click Authentication Servers on left pane-> Click New.
  2. Select SAML 2.0 Identity Provider under the USER STORE.
  3. Add a friendly name for OneLogin SAML IdP.
  4. Add the Appliance ID of OneLogin (Eg: https://vpn.example.com) with no trailing slash.
  5. Add Server ID as Issuer URL value noted from OneLogin configuration.
  6. Add the Authentication service URL as SAML 2.0 Endpoint (HTTP) value noted from OneLogin configuration.
  7. Logout service URL is optional -  configure this option if the user has to log out from OneLogin after logging out of SMA.
  8. Under Trust the following certificate select OneLogin certificate.
  9. Under Endpoint FQDN, select the FQDN that is provided at OneLogin (vpn.example.com).
  10. Click Save and apply the pending changes.

This SAML authentication server can be used in a realm for authentication.

Related Articles

  • How to download Client Installation package and the access agents from the appliance using WinSCP
    Read More
  • SMA 1000: How to update Advanced EPC Signatures to the Latest Version
    Read More
  • If OTP is enabled, NX disconnects after SMA100 Connect Agent installation
    Read More

Categories

Secure Mobile Access
SMA 1000 Series
Authentication
not finding your answers?
Ask the Community
was this article helpful?
YesNo