We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Configuring Single Sign-On using SAML Authentication

  • Last updated on

Single Sign-On (SSO) is a mechanism where a single set of user credentials is used for authentication and authorization to access multiple applications across different web servers and platforms, without having to re-authenticate. For more information, see How to Configure Single Sign-On.

Case 1: SSO between two applications with different Virtual IP (VIP) addresses configured on the same Barracuda Web Application Firewall.

  1. Create two HTTPS services on the BASIC > Services page by following the steps mentioned in "Step 2 - Create an HTTPS Service on the Barracuda Web Application Firewall" in the Configuring SAML on the Barracuda Web Application Firewall article. As an example, consider App1 and App2 are the two HTTPS services created on the Barracuda Web Application Firewall.
  2. Add a SAML IdP authentication service on the ACCESS CONTROL > Authentication Services page by following the steps mentioned in "Step 3 - Configure a SAML IdP Authentication Service" in the Configuring SAML on the Barracuda Web Application Firewall article. You can add multiple Identity Providers to a SAML IdP authentication service (if required). See "Configuring Multiple Identity Providers" in the Advanced Configuration for SAML Authentication article..
  3. Configure the authentication policy for both the services (App1 and App2) by following the steps below:
    1. Go to the ACCESS CONTROL > Authentication Policies page, Authentication Policies section.
    2. Click Edit Authentication next to App1 (HTTPS service created in step 1).
      1. On the Edit Authentication Policies page, do the following configuration:

        • Status – Set to On.

        • Authentication Service - Select the SAML IdP authentication service created in step 2.

          It is recommended that both the services in the SSO setup have the same SAML IdP authentication service. However, you can associate different SAML IdP authentication services with the applications if the SAML IdP authentication services have the same server configuration in it.

        • Specify values for the parameters under SAML Service Provider Configuration, and click Save. See Step 4 - Enable Authentication and Configure SAML Service Provider in the Configuring SAML on the Barracuda Web Application Firewall article.

    3. Repeat step 3 for App2 (HTTPS service created in step 1).
    4. Configure the authorization policy for both the services (App1 and App2) by following the steps mentioned in "Step 5 - Configure the Authorization Policy for the Service" in the Configuring SAML on the Barracuda Web Application Firewall article.

How the SSO Setup Works

  1. Open your web browser and access the protected resource of the first service.
  2. If the SAML IdP authentication service associated with the service is configured with only one IdP server detail, the Barracuda Web Application Firewall redirects the user to the configured Identity Provider and challenges the user to provide login credentials.
  3. If multiple Identity Providers are configured, the Barracuda Web Application Firewall displays an Identity Provider selection page where the user can select the Identity Provider for authentication.
  4. After successful authentication, the user is allowed to access the requested URL.
  5. Now, access the protected resource of the second application.
  6. If the SAML IdP authentication service associated with the service is configured with only one IdP server details, then the user is allowed to access the requested URL without being challenged to provide login credentials.
  7. Both the services are now in an SSO environment.
  8. If multiple Identity Providers are configured, the Barracuda Web Application Firewall displays an Identity Provider selection page where the user can select the Identity Provider for authentication. In this case:
    1. If the user selects the same Identity Provider that was selected for first service, the user is allowed to access the requested URL without being challenged to provide login credentials.
    2. If the user selects a different Identity Provider for authentication, the user is allowed to access the requested URL upon successful authentication, but the service remains independent and not in an SSO environment.

Case 2: SSO between two applications that are configured on different Barracuda Web Application Firewalls with different virtual IP (VIP) addresses.

  1. On the Barracuda Web Application Firewall 1, complete the following configuration:
    1. Create an HTTPS service on the BASIC > Services page by following the steps mentioned in "Step 2 - Create an HTTPS Service on the Barracuda Web Application Firewall" in the Configuring SAML on the Barracuda Web Application Firewall article.
    2. Add a SAML IdP authentication service on the ACCESS CONTROL > Authentication Services page by following the steps mentioned in "Step 3 - Configure a SAML IdP Authentication Service" in the Configuring SAML on the Barracuda Web Application Firewall page. You can add multiple Identity Providers to a SAML IdP authentication service (if required). See "Configuring Multiple Identity Providers" in the Advanced Configuration for SAML Authentication article.
    3. Configure an authentication and authorization policy for the service created in step 1 by following the steps mentioned in "Step 4 - Enable Authentication and Configure SAML Service Provider" and "Step 5 - Configure the Authorization Policy for the Service" in the Configuring SAML on the Barracuda Web Application Firewall article.
  2. On the Barracuda Web Application Firewall 2, repeat step 1 (a) (b) and (c).

    Ensure that you add a SAML IdP authentication service with the same server configuration as that of the Barracuda Web Application Firewall 1.

Configuring Single Logout (SLO) using SAML Authentication

In the SSO environment, you can do a single logout to logout from all applications to which you were authenticated with the same Identity Provider. To do a single logout, enter the following in the web browser: https://<host>/saml.sso/login?LOGOUT Example: https://www.abc.com/saml.sso/login?LOGOUT

If different Identity Providers were selected for authenticating different applications (i.e. the applications are not in the SSO environment/setup), then using this LOGOUT URL in the web browser will perform a normal logout from the Identity Provider.

Last updated on