Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Best Practices –WatchGuard Access Portal –

SAML

Best Practices –WatchGuard Access Portal –

SAML

1

Thorsten StedingSales Engineer, Central Europe

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Service in Total Security!

2

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Access Portal

HTML5 application portal– HTML5, clientless

– Web-application

SSO to Access Portal– SAML 2.0

– RADIUS, AD, Firebox-DB, …

3

Privileged• RDP• SSH

Privileged• RDP• SSHPlatforms

M370 M670

M400 M4600

M470 M5600

M500 Firebox Cloud

M570 FireboxV

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Access Portal:SAML Configuration Example

Access Portal:SAML Configuration Example

4

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Security Assertion Markup Language (SAML)

5

SAML ist ein XML-Framework zum Austausch von Authentifizierungs- und Autorisierungsinformationen. Sie stellt Funktionen bereit, um sicherheitsbezogene Informationen zu beschreiben und zu übertragen.

Browser Single Sign-on:

Ein Benutzer ist nach der Anmeldung an einer Webanwendung automatisch auch zur Benutzung weiterer Anwendungen authentisiert.Autorisierungsdienste die Kommunikation mit einem Dienst läuft über eine Zwischenstation, den Identity Provider, der die Berechtigung überprüft.

Quelle:Wikipedia

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

6

SAML 2.0 Workflow

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Access Portal with SAML integration

7

UserUser

AuthPointPrivileged

• RDP• SSH

Privileged

• RDP• SSH

SPSPIdPIdP

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Access Portal (SP) + AuthPoint

Access SP metadata from Firebox SAML settings page:

– Expect form https:// [customizable URL name] /auth/saml for SP metadata

8

The hostname is customizable and

determines URL of SP metadata for IdP

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Access Portal + AuthPoint

Proceeding to the custom URL for SAML from the Firebox, should provide the following page data:

– Click on ‘Download Certificate’ and save to familiar file directory

9

Identifies the SP to the IdP

ACS URL for posting of IdP response from an

SP

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

SAML Single Sign-On over AuthPoint

10

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Zwei Faktor Authentifizierung

11

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Access Portal

Applications tabs

12

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

Access Portal

Web applications tab

13

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

DemoDemo

14

Copyright ©2017 WatchGuard Technologies, Inc. All Rights Reserved

15