It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Create a SAML Endpoint in Microsoft Azure and Client-to-Site SAML Configuration

  • Last updated on

Follow the guide below to create a SAML endpoint in Microsoft Azure and to configure a Barracuda CloudGen Firewall to use SAML authentication for the client-to-site VPN service.

Before You Begin

Step 1. Create a SAML Endpoint in Microsoft Azure

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click All services and search for Azure Active Directory.
  3. Click Azure Active Directory.
  4. In the left menu of the Azure Active Directory blade, click Enterprise applications.
    ent_app.png
  5. In the Enterprise applications blade, click Overview.
    ent_app_overview.png
  6. In the Overview blade, click + New application.
    new_app.png
  7. The Browse Azure AD Gallery blade opens. 
  8. Click Create your own application.
    create_own.png
  9. The Create your own application blade opens.
  10. Enter the name of your application and select  Integrate any other application you don't find in the gallery (Non-gallery)
    create_own2.png
  11. Click Create.
  12. After the application is successfully deployed, it automatically opens the Overview blade of the created application.
    campus_app_overview.png
  13. Click Properties.
  14. In the Properties blade, disable User assignment required.
    disable_user_assignment.png
  15. Click Save.
  16. In the left menu, click Single sign-on.
  17. The Single sign-on blade opens. Click SAML .
    sso_saml.png
  18. The SAML-based Sign-on blade opens.
  19. In the User Attribute & Claims section, click Edit.
    user_attributes.png
  20. The User Attributes & Claims blade opens.
  21. Click Add a group claim.
    add_gclaim.png
  22. The Group Claims blade opens. 
    glaim_Sec.png
  23. Select Security groups and click Save.
  24. Click X to close the User Attributes & Claims blade.
    close_uac.png
  25. The SAML-based Sign-on blade opens.
  26. Click Download to download the  Federation Metadata XML .
    download_fed_metadata.png
    Note that some browsers might block the *.xml file.
  27. Save the file to your local machine.

Step 2. Configure the Barracuda CloudGen Firewall to Use SAML Authentication

  1. Connect to your Barracuda CloudGen Firewall and log in.
  2. Go to CONFIGURATION > Configuration Tree > Infrastructure Services > Authentication Service.
  3. In the left menu, click SAML/ADFS Authentication.
  4. Click Lock.
  5. In the SAML General Information section, set Activate Scheme to yes.
  6. In the Identity Provider section, click Ex/Import. Then click Import from File... and select the file retrieved in Step 1. 
    CGF_SAML_1.png
  7. Click Send Changes
  8. In the Attributes section, specify the Assertion Name ID and select um:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from the drop-down menu.
  9. Click Send Changes
  10. In the Attributes section, specify values for the following:
    • User Attribute - Select Name ID (um:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) from the drop-down menu.
    • Group Attribute - Select Attribute(Groups) from the drop-down menu.
  11. In the Certificates section, specify values for the following:
    • Enable Assertion Encryption - Clear the check box.
    • Enable Assertion Signing -  Clear the check box.
  12. Click Send Changes
  13. Click Activate.
  14. In the Service Provider Metadata section, click Ex/Import. Then click Export to File... and save it to your local machine.
  15. Specify the hostname only if SAML/ADFS is not used for Firewall  Authentication.

  16. In the left menu, click Configuration Mode.
  17. Click Switch to Advanced
  18. Click SAML/ADFS Authentication.
  19. In the Endpoints section, specify values for the following if SAML/ADFS is not used for Firewall Authentication. Otherwise, you can skip this step.
    • Use Hostname from - Select Explicit-Hostname from the drop-down menu.

    • Explicit Hostname - Enter localhost
      hostname.png
  20. Click Send Changes.
  21. Click Activate.

Step 3. Finalize SAML Configuration in Microsoft Azure

  1. Log into the Azure portal: https://portal.azure.com
  2. In the left menu, click  All services  and search for Azure Active Directory.
  3. Click Azure Active Directory.
  4. In the left menu of the Azure Active Directory blade, click Enterprise applications.
  5. In the Enterprise applications  blade, click All applications.
  6. Click on the application you created in Step 1, e.g., Campus-SAML-Endpoint.
  7. In the left menu, click Single sign-on .
  8. Click SAML.
  9. The Single sign-on blade opens.
  10. Click Upload metadata file.
    upload_metadata.png
  11. Select the file downloaded in Step 2 and click Add .
    add_file.png
  12. Click Save.
    cgf_saml.png
  13. Close the Basic SAML Configuration blade. 
  14. You are now back in the Single sign-on blade.
  15. Click Download to download the Federation Metadata XML file and save it to your local machine.
    fed_metadata_download2.png

 

Step 4. Finalize the Barracuda CloudGen Firewall SAML Configuration

  1. Connect to your Barracuda CloudGen Firewall and log in.
  2. Go to CONFIGURATION > Configuration Tree > Infrastructure Services > Authentication Service.
  3. In the left menu, click SAML/ADFS Authentication.
  4. Click Lock.
  5. In the Identity Provider section, click Ex/Import.
  6. From the drop-down menu, select Clear.
    clear.png
  7. In the Identity Provider section, click Ex/Import.
  8. From the drop-down menu, select Import from File...
  9. Select the file downloaded in Step 3 and import it.
  10. Click Send Changes
  11. Click Activate.

Step 5. VPN Configuration of the Barracuda CloudGen Firewall

  1. Connect to your Barracuda CloudGen firewall and log in.
  2. Go to CONFIGURATION > Configuration Tree > Assigned Services > VPN (VPN-Service) > VPN Settings.
  3. In the left menu, click General.
  4. Click Lock.
  5. In the Service section, specify values for the following:
    • Private key - Click to generate a new private key. Select a key length and click OK.
    • Certificate - Click to generate a new certificate. Enter a name and click OK.
      vpn_key.png
  6. Click Send Changes
  7. Click Activate.
  8. In the left menu, click Client Networks.
  9. Click Lock.
  10. In the right menu, right-click in the table and select New Client Network from the drop-down menu.
    create_client_networks1.png
  11. The Client Network window opens. Specify values for the following:
    • Name - Enter a name. 
    • Network Address - Enter the network address. 
    • Gateway - Enter the gateway. 
      c2s_network.png
  12. Click OK.
  13. Click Send Changes
  14. Click Activate.
  15. Go to CONFIGURATION > Configuration Tree > Assigned Services > VPN (VPN-Service) > Client to Site.
  16. Click Lock.
  17. Open the External CA tab.
  18. Right-click in the Group Policy tab and select New Group Policy... from the drop-down menu.
    group_policy1.png
  19. The Edit Group Policy window opens. Specify values for the following:
    • Name - Enter a name.
    • Network - Select the client network created before.
    • DNS IPv4 - Enter a DNS server.
    • Network Routes - Enter one or more routes if applicable.
      group_policy2.png
  20. Stay in the Edit Group Policy window.
  21. In the Group Policy Condition section, double-click to add a new entry.
  22. The Group Policy Condition window opens. Specify values for the following:
    • Group Pattern - Enter the object ID of your Azure Active Directory group that will be enabled to use client-to-site VPN.
      group_policycondition.png
  23. Click OK.
  24. Click OK.
  25. Click Send Changes
  26. Click Activate.

Step 6. Configuration of the VPN Client

Note that in the VPN configuration you have to select as Authentication Method SAML.

Further Information

Last updated on