Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Best Practices –WatchGuard Access Portal –
SAML
Best Practices –WatchGuard Access Portal –
SAML
1
Thorsten StedingSales Engineer, Central Europe
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Service in Total Security!
2
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Access Portal
HTML5 application portal– HTML5, clientless
– Web-application
SSO to Access Portal– SAML 2.0
– RADIUS, AD, Firebox-DB, …
3
Privileged• RDP• SSH
Privileged• RDP• SSHPlatforms
M370 M670
M400 M4600
M470 M5600
M500 Firebox Cloud
M570 FireboxV
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Access Portal:SAML Configuration Example
Access Portal:SAML Configuration Example
4
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Security Assertion Markup Language (SAML)
5
SAML ist ein XML-Framework zum Austausch von Authentifizierungs- und Autorisierungsinformationen. Sie stellt Funktionen bereit, um sicherheitsbezogene Informationen zu beschreiben und zu übertragen.
Browser Single Sign-on:
Ein Benutzer ist nach der Anmeldung an einer Webanwendung automatisch auch zur Benutzung weiterer Anwendungen authentisiert.Autorisierungsdienste die Kommunikation mit einem Dienst läuft über eine Zwischenstation, den Identity Provider, der die Berechtigung überprüft.
Quelle:Wikipedia
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
6
SAML 2.0 Workflow
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Access Portal with SAML integration
7
UserUser
AuthPointPrivileged
• RDP• SSH
Privileged
• RDP• SSH
SPSPIdPIdP
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Access Portal (SP) + AuthPoint
Access SP metadata from Firebox SAML settings page:
– Expect form https:// [customizable URL name] /auth/saml for SP metadata
8
The hostname is customizable and
determines URL of SP metadata for IdP
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Access Portal + AuthPoint
Proceeding to the custom URL for SAML from the Firebox, should provide the following page data:
– Click on ‘Download Certificate’ and save to familiar file directory
9
Identifies the SP to the IdP
ACS URL for posting of IdP response from an
SP
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
SAML Single Sign-On over AuthPoint
10
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Zwei Faktor Authentifizierung
11
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Access Portal
Applications tabs
12
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
Access Portal
Web applications tab
13
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
DemoDemo
14
Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved
15