We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Attention

Barracuda CloudGen Firewall version 8.0 is a cloud-only version. It is currently not available for on-premises deployments and can only be deployed in Microsoft Azure, Amazon Web Services, or Google Cloud Platform public clouds.

How to Configure AD FS Authentication

  • Last updated on

Active Directory Federation Service (AD FS) is a service provided by Microsoft that enables users to authenticate across multiple organizations. The credentials are not forwarded to the service provider. Rather, when users contact a service provider, they are forwarded to the AD FS that will provide a token. This token will then be used to verify with the identity provider that the user authenticated successfully. Using the token ensures that the service provider never has access to the actual user credentials. AD FS uses the Security Assertion Markup Language (SAML) for exchanging authentication and authorization information. AD FS is currently provided for HTTPs only.

adfs_overview_01.png

AD FS enables transparent single sign-on (i.e., sign in to applications if the user is already signed in on the firewall, and vice versa). This requires a firewall rule to forward the traffic to fwauthd. AD FS authentication supports both offline authentication and inline authentication.

Step 1. Configure General AD FS Settings for SAML, Identity Provider, and Certificates

  1. Set Activate Scheme to yes.
  2. For Method, select SAML.
  3. In the section SAML Configuration, enter the IP address for Service Provider Entity ID.
  4. In the section Identity Provider, click Ex/Import to import the identity provider's metadata. The metadata in the imported XML file contains important information about the identity provider and the person's identity and is commonly generated by AD FS.
  5. In the section Certificates, configure:
    • Service Provider Private Key for Encryption
      • New Key... – Click to create a new key.
      • Ex/Import – Click to ex/import a key for encryption.
    • Service Provider Certificate for Encryption
      • Show... – Click to show the provider certificate.
      • Ex/Import – Click to ex/import a certificate for encryption.
    • Service Provider Private Key for Signing
      • New Key – Click to create a new private key for signing.
      • Ex/Import – Click to ex/import a certificate for encryption.
    • Service Provider Certificate for Signing
      • Show... – Click to show the provider certificate for signing.
      • Ex/Import – Click to ex/import the service provider certificate for signing.
  6. Click Send Changes.
  7. Click Activate.
    configure_saml_adfs_authentication_scheme_step1.png

After clicking Activate, the user's attributes stored in the Identity Provider Metadata will be extracted to the list for Set Remote User.

Step 2. Configure a Specific Attribute for the Authentication of the Remote User

  1. Click the field of the list for Set Remote User.
  2. Select an attribute that optimally fits the configuration of the remote user.
  3. Click Send Changes.
  4. Click Activate.
    configure_saml_adfs_authentication_scheme_step2.png
  5. Close the tab Authentication Service.

    It is important to explicitly close the tab for Authentication Service because closing will trigger data processing for the following step.

    configure_saml_adfs_authentication_scheme_step2a.png

Step 3. Export the Service Provider Metadata

  1. Click Ex/Import in the section Service Provider Metadata to export the metadata.
  2. Specify a location where to store the file.
    configure_saml_adfs_authentication_scheme_step3.png
  3. Click Send Changes.
  4. Click Activate.
  5. Close the tab Authentication Service.

Step 4. Enable AD FS Authentication on the Firewall

  1. Go to CONFIGURATION > Configuration Tree > Virtual Servers > your virtual server > Firewall > Firewall Forwarding Settings.
  2. In the left menu, click Authentication.
  3. In the Metadirectory Authentication section, set the following values:
    • Authentication Scheme – Select SAML/ADFS from the list.
    • Listen IP – Enter the listening address of the CloudGen Firewall's authentication daemon.
    • Request Timeout – Set the value for the timeout for requests.
    • User ACL Policy
      • Set the value to deny-explicit if you want only domain users listed in User ACL to be blocked.
      • Set the value to allow-explicit if you want only domain users listed in User ACL to be allowed.
    • User ACL – Click + to add or x to remove users to or from the ACL list.
    • URL Filter Overrid Users – Click Set.../Edit to configure user-specific credentials.

Step 5. Create Access Rules for Authenticating with AD FS

Create an access rule for redirecting users for authentication.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Either click the plus icon (+) in the top right of the ruleset, or right-click the ruleset and select New > Rule.
    FW_Rule_Add01.png
  4. Select App Redirect as the action.
  5. Enter a Name for the rule. For example, fwauthredirect.
  6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
    • Source – The source addresses of the traffic, e.g., 0.0.0.0/0.
    • Service – Select HTTPS from the list.
    • Destination – Enter the IP address of the CloudGen Firewall, e.g., 10.17.68.29.
  7. Enter the Redirection IP address and optional port as the Local Address. For example, 127.0.0.1.
  8. Click OK.
  9. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
  10. Click Send Changes and Activate.
    fwauthRedirect_access_rule_01.png

Step 6. Create an Access Rule for Passing Authenticated Users

Authenticated users can be passed on when authenticated already.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Forwarding Rules.
  2. Click Lock.
  3. Either click the plus icon (+) in the top right of the ruleset, or right-click the ruleset and select New > Rule.
    FW_Rule_Add01.png
  4. Select Pass as the action.
  5. Enter a Name for the rule. For example, AllowAuthenticatedUsers.
  6. Specify the following settings that must be matched by the traffic to be handled by the access rule:
    • Source – The source addresses of the traffic, e.g., 0.0.0.0/0.
    • Service – Select ANY from the list.
    • Destination – Select Internet.
  7. Authenticated User – Select All Authenticated Users from the list.
  8. Connection Method – Select Dynamic NAT from the list.
  9. Click OK.
  10. Drag and drop the access rule so that it is the first rule that matches the traffic that you want it to forward. Ensure that the rule is located above the BLOCKALL rule; rules located below the BLOCKALL rule are never executed.
  11. Click Send Changes and Activate.
    allowAuthenticatedUsers_access_rule.png

 You can now authenticate against AD FS.

Last updated on