Perform the steps below to configure SAML on the Barracuda Web Application Firewall.
Step 1 - Upload a Certificate on the Barracuda Web Application Firewall
For testing purposes, self-signed certificates (either uploaded or generated on the Barracuda Web Application Firewall) can be used for signing and encrypting SAML IdP requests and responses. In case of production environment, upload a CA-signed certificate on the Barracuda Web Application Firewall to be used for signing the requests sent to the IdP server, and decrypting the response received from the IdP server. The certificate can be uploaded on the BASIC > Certificates page, in the Upload Certificates section.
The uploaded certificate can be associated with the service for SAML authentication on the ACCESS CONTROL > Authentication Policies page, in the Authentication Policies section. Refer to Step 4 - Enable Authentication and Configure SAML Service Provider.
Step 2 - Create an HTTPS Service on the Barracuda Web Application Firewall
- Go to the BASIC > Services page.
- In the Add New Service section, specify values for the following:
- Service Name - Enter a name for the service.
- Type - Select HTTPS.
- Version - Select the Internet protocol version (IPv4 or IPv6) for the service.
- Virtual IP Address - Enter the virtual IP address that will be used for accessing this service.
- Port - Enter the port number on which your web server responds.
- Version - Select the Internet protocol version (IPv4 or IPv6) for the server that hosts the service.
- Real Servers - Enter the IP address of the server that hosts the service. This is the backend server that is protected by the Barracuda Web Application Firewall.
- Service Groups - Select the group under which the service should be added.
- Certificate - Select the certificate you uploaded/generated in Step 1 - Upload a Certificate on the Barracuda Web Application Firewall .
- Click Add.
Step 3 - Configure a SAML IdP Authentication Service
The Identity Provider server should be configured as the authentication service on the ACCESS CONTROL > Authentication Services page, in the SAML Identity Provider tab. The Barracuda Web Application Firewall uses this information to communicate with the Identity Provider server to authenticate a user.
- Go to the ACCESS CONTROL > Authentication Services page, select the SAML Identity Provider tab, and specify values for the following:
- Realm Name – Enter a name to identify the SAML authentication service on the Barracuda Web Application Firewall.
- Identity Provider Name - Enter a name to identify the Identity Provider on the Barracuda Web Application Firewall.
- Identity Provider Metadata Type - Select URL or File Upload to associate the metadata file.
- Metadata URL - Enter the URL to download the IdP metadata file. Example: https://login.windows.net/xxxxx/federationmetadata/2007-06/federationmetadata.xml
- Metadata File Upload - Click the Browse button to select the Identity Provider metadata file. Use this option if you have already downloaded the metadata file.
- Click Add.
- SAML authentication service with the specified values gets created under Existing Authentication Service. The Type for the SAML authentication service will be displayed as “SAMLSP”.
Step 4 - Enable Authentication and Configure SAML Service Provider
- Go to the ACCESS CONTROL > Authentication Policies page.
- In the Authentication Policies section, click on Edit Authentication next to the service to which you want to enable authentication.
- In the Edit Authentication Policies window:
- Configure the following in the Edit Authentication Policy section:
Set Status to On.
Select the SAML authentication service created in Step 3 - Configure a SAML IdP Authentication Service from the Authentication Service drop-down list.
- Configure the following in the SAML Service Provider Configuration section:
- Organization Name – Enter your organization name. This name will be used when the Barracuda Web Application Firewall sends SAML requests to the IdP.
- Organization URL – Enter the URL of the organization. Example: https://serviceprovider.com
- Organization Display Name – Enter a name to be displayed to the users accessing this service.
- SP Entity ID – Enter either the fully qualified domain name through which the service can be accessed or the SAML entity ID if you have any for the application. Example: https://waf.example.com/.
Choose the signing certificate.
- Specify values for other parameters as required.
- Configure the following in the Edit Authentication Policy section:
- Click Save.
Step 5 - Configure the Authorization Policy for the Service
- Go to the ACCESS CONTROL > Authentication Policies page.
- In the Authentication Polices section, click Add Authorization next to the service to which you want to configure the authorization policy. The Add Authorization Policy window opens.
- In the Add Authorization Policy section, configure the following:
- Policy Name – Enter a name for the policy.
- Set Status to On.
URL Match – Enter the URL that needs to be matched in the request. Any request matching the configured “URL” and “Host” is subjected to SAML authentication. For example, if the web server URL is https://www.abc.com/sports/Tennis/group1, https://www.abc.com/sports/Football/group1, etc., then the URL Match can be one of the following: "/sports/Tennis/group1” OR “/sports/Tennis/*" OR “/sports/*” OR “/*”.
Host Match – Enter the host name to be matched against the host in the request. For example, if the web server URL is "https://www.abc.com", then the Host Match should be "www.abc.com".
- Enable Signing on AuthRequest - When set to Yes, the "AuthnRequest" sent by the Barracuda Web Application Firewall to IdP is signed using the IdP's certificate taken from the IdP metadata.
- AuthnContextClassRef - Enter the type of authentication to be used by the IdP. The following are the known authentication methods that are supported by the IdP that can be configured for AuthnContextClassRef.
- urn:oasis:names:tc:SAML:2.0:ac_classes:TLSClient
- urn:oasis:names:tc:SAML:2.0:ac_classes:PasswordProtectedTransport
- urn:oasis:names:tc:SAML:2.0:ac_classes:X509
- urn:oasis:names:tc:SAML:2.0:ac_classes:Kerberos
- urn:oasis:names:tc:SAML:2.0:ac_classes:Password
- urn:federation:authentication:windows
- Access Rules (Optional) – Select the check box or check boxes next to the rules that need to be applied in the authorization policy. To create access rules, follow the steps mentioned in Configuring Access Rules for SAML Attributes in the Advanced Configuration for SAML Authentication article.
- Specify values for other parameters as required and click Save.
Step 6 - Generate Service Provider (SP) Metadata
After you have configured the Barracuda Web Application Firewall, you must generate the metadata file of the SAML service provider (i.e., the Barracuda Web Application Firewall), and export the metadata file to the Identity Provider (IdP).
To Generate the metadata file of the SAML Service Provider (SP):
- Go to the ACCESS CONTROL > Authentication Policies page.
- In the Authentication Policies section, click Generate next to the service under Metadata.
- Save the Service Provider (SP) metadata XML file to your local machine. Example: sp_metadata_app.xml, where “sp_metadata” indicates the Service Provider metadata file configured for the service “app”.
Next Step
Configuring Identity Provider (IdP) for SAML Authentication