The Barracuda Web Application Firewall can authenticate users configured on Google using OpenID Connect. Google is the OpenID provider and the Barracuda Web Application Firewall is the service provider to authenticate users. The authentication should be done before you are allowed to access the application protected by the service on the WAF.
Perform the following steps to configure Google on the Barracuda Web Application Firewall
Step 1 - Create an HTTPS Service on the Barracuda Web Application Firewall.
Step 2 - Generate Metadata URL for Google OpenID Connect Provider
Step 3 - Configuring the Google OpenID Connect Provider on the Barracuda Web Application Firewall
- Navigate to ACCESS CONTROL > Authentication Services and click the OpenID Connect tab.
- In the Realm Name box, specify a name to identify the OpenID Connect.
- In the Open ID Connect Alias box, specify the OpenID Connect alias name to identify the OpenID Connect provider on the Barracuda Web Application Firewall. Example: GoogleOIDC.
- Choose Discovery URL to fill the end point URLs from metadata URL automatically.
- Specify the metadata URL of the Google OpenID Connect. Example: https://accounts.google.com/.well-known/openid-configuration
- Click Retrieve to display the end point URLs in the fields by default (except for client/clientsec).
- Configure the client ID and client secret that you noted down while performing the Google configuration. Also, ensure that the Scope field has the OpenID displayed.
- Click Add. The Google OpenID Connect authentication service is displayed in the Existing Authentication Service section.
Step 4 - Configure the Authentication Policy for the Service
- Go to the ACCESS CONTROL > Authentication Policies page.
- In the Authentication Policies section, for the service to which you want to enable authentication, click the drop-down list and select Edit Authentication from the Options column.
- In the Edit Authentication Policies window, configure the following:
Set Status to On.
From the Authentication Service drop-down list, select the authentication service realm.
Enter the redirect URL. Ensure that you use the same redirect URL that was configured on the Google server. For example, if the redirect URL configured on the Google server is https://www.oauthtest.com/redirect.html, then you can use /redirect.html here.
The login page is selected by default in the Access Control Pages section.
In the OpenID Connect Claim Configuration section, specify the claim name and local ID received from the identity provider that needs to be sent to the application server. However, this is an optional step.
Click Save.
Step 5 - Configure the Authorization Policy for the Service
- Go to the ACCESS CONTROL > Authentication Policies page.
- In the Authentication Policies section, click on Add Authorization next to the service to which you want to enable authorization.
- In the Add Authorization Policy section, configure the following:
- Policy Name – Enter a name for the policy.
- Set Status to On.
- URL Match – Enter the URL that needs to be matched in the request. For example “/*”
- Host Match – Enter the host name to be matched against the host in the request.
- Click Save.