How to Create a SAML Endpoint in Microsoft Azure and Basic User Connectivity & Personal Security Configuration

For Barracuda SecureEdge User Connectivity & Personal Security, you must configure a SAML endpoint in Microsoft Azure. In order to save the SAML configuration in Barracuda SecureEdge, you must also provide basic configuration details for User Connectivity & Personal Security.

Step 1. Create a SAML Endpoint in Microsoft Azure

1. Log into the Azure portal: https://portal.azure.com
2. In the left menu, click All services and search for Microsoft Entra ID.
3. Click Microsoft Entra ID.
4. In the left menu of the Microsoft Entra ID blade, click Enterprise applications.
   
   
5. The Enterprise applications blade opens. Click Overview.
   
6. In the Overview blade, click New application.
   
7. The Browse Microsoft Entra Gallery blade opens. Click Create your own application.
   
8. Enter the name of your application, and select Integrate any other application you don't find in the gallery (Non-gallery). 
   
9. Click Create. 
   After the application is successfully deployed, it automatically opens the Overview blade of the created application.
10. In the left menu, select Properties.
    
11. In the Properties blade, disable Assignment required and click Save.
    
12. In the left menu, click Single sign-on.
13. The Single sign-on blade opens. Select SAML.
    
14. The SAML-based Sign-on blade opens. Copy the Login URL.
    
15. Click Edit next to Basic SAML Configuration.
    
16. Click Add reply URL and paste the copied URL.
17. Open the SAML configuration on your Barracuda SecureEdge, and copy the Service Provider Entity ID.
18. In the Basic SAML Configuration blade, click Add identifier and paste the copied ID.
    

19. Click Save.

20. Click X to close the Basic SAML Configuration blade.

21. In the User Attribute & Claims section, click Edit.

    
22. The User Attributes & Claims blade opens. Click Add a group claim.
    
23. The Group Claims blade opens. Select Security groups and click Save.
    
24. Click X to close the User Attributes & Claims blade.
    

    If the number of groups a user is in exceeds a certain limit (150 for SAML, 200 for JWT) then an overage claim will be added, the claim sources pointing at the graph endpoint containing the list of groups for the user. (For detailed information, see Claims in SAML tokens in the Microsoft documentation.) The firewall does not use this link to extract user groups and therefore generates a "DENY: Group did not match" security entry in the VPN logs in this case, as no group policy containing a group filter will match. This can be avoided by creating a group filter, preventing Microsoft from sending a link pointing to the groups. For more information, see Configure group claims for applications by using Microsoft Entra ID.

25. In the SAML-based Sign-on blade, click Download to download the Federation Metadata XML.
    
    Note that some browsers might block the *.xml file.
26. Save the file to your local machine.

Step 2. Basic Configuration in Barracuda SecureEdge 

1. Go to https://se.barracudanetworks.com/ and log in with your existing Barracuda Cloud Control account.
2. Go to Infrastructure > Settings.
   
3. The user configuration window opens. Specify values for the following:
   • Enable Site Autentication – Click to enable. Site authentication allows devices physically located within the network to authenticate against the Barracuda SecureEdge service to enforce Security Policies.
   • Client Network – Enter the network used for the clients.

   • Pool Bitmask – Enter the bitmask of the network pool to allocate to each VPN access point.

     Barracuda Networks recommends you to allocate an address space that is twice as large as the number of desired clients because the client network is automatically divided into pools. The pools are assigned equally to the gateways and must therefore be sized according to the largest number of clients. For example: If you have 2 gateways in 2 regions, and a large headquarters and a small branch office, both will receive an equal number of pools. For this reason, the client network must be sized according to the size of your headquarters location.

   • Primary DNS – Enter a primary DNS address for the VPN clients to use or leave blank to use the standard configuration.
   • Secondary DNS – (optional) Enter a secondary DNS address for the VPN clients to use.
   • DNS Suffix – Enter a DNS suffix to be used for the VPN client network.
   • User Connectivity Routing – Select either Internal Network or Internet Access from the drop-down menu. The option Internal Network routes only the networks learned via BGP through the SecureEdge gateway , and the option Internet Access sends all traffic through the gateway. Internet Access can be used to inspect all traffic by SecureEdge.
   • Enterprise App Federation Metadata Url* – Paste the App Federation Metadata Url retrieved in Step 1.
     
4. Click Save.
5. Stay in the user configuration window, and scroll down to AZURE AD INTEGRATION. 
6. Click Download CSV.
   
7. Save the file to your local disk.

Step 3. Finalize SAML Configuration in Microsoft Azure

1. Log into the Azure portal: https://portal.azure.com
2. In the left menu, click All services and search for Microsoft Entra ID.
3. Click Microsoft Entra ID.
4. In the left menu of the Microsoft Entra ID blade, click Enterprise applications.
5. In the Enterprise applications blade, click All applications.
6. Click on the application you created in Step 1, e.g., Campus-SAML-Endpoint.
7. In the left menu, click Single sign-on.
8. The Single sign-on blade opens.
9. Click Upload metadata file.
   
10. Select the file downloaded in Step 2 and click Add.
    
11. Click Save.
    
12. Close the Basic SAML Configuration blade.
    You are now back in the Single sign-on blade.
13. Click Download to download the Federation Metadata XML file and save it to your local machine.
    

Further Information

• For more information on Personal Access and Site Authentication, see Point-to-Site.
• For more information on allowed VPN users and groups, see How to Configure Allowed VPN User Groups.