Setting up SAML with Entra

ChrisSnapeChrisSnape
in Firebox - Authentication

Hi all,

Model M270
Version 12.11.4.B722644

I am looking at setting up SAML authentication on one of our firewalls, as a test for a wider adoption. I have followed all the steps in this process:

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/azure-saml_ssl-vpn.html

Everything looks like it took correctly. MUVPN groups are good. Enterprise App is up and running. But when I try to login via the client I get a blank "SAML Authentication Account" window, then it disappears and the client get stuck in a loop. I have to manually disconnect.

When I try to test the sign in on the Entra side I get a 404 unknown page. But I have definitely added the URLs correctly to both sides.

What have I missed?

Thanks in advance.

Comments

  • ChrisSnapeChrisSnape

    Also, should this page still be accessible once the process is complete?

    https://[Host name or IP address for Firebox SAML]/auth/saml

    I would of thought this page was disabled once the SAML authentication was active. As it holds the certificate information etc?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @ChrisSnape
    If you're getting a 404 on the entra side, that sounds like something may not be set correctly, or something didn't provision correctly over there.

    If you haven't already done so, I'd suggest creating a support case - one of our reps can help look into the issue with you.

    -James Carson
    WatchGuard Customer Support

  • ChrisSnapeChrisSnape

    @james.carson said:
    Hi @ChrisSnape
    If you're getting a 404 on the entra side, that sounds like something may not be set correctly, or something didn't provision correctly over there.

    If you haven't already done so, I'd suggest creating a support case - one of our reps can help look into the issue with you.

    The 404 appears when Entra tries to get to the HTTPS link for the Firebox. Could it be because I am still using the unsigned SSL cert on the firebox? Do I need to replace it with a signed one?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @ChrisSnape
    The Firebox imports a cert from Entra, but it's not the default webserver cert.

    -James Carson
    WatchGuard Customer Support

  • ChrisSnapeChrisSnape

    just to update this post. I opened a case with WatchGuard direct and managed to get it working. The solution was to follow through this link:

    https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr000000DQKrKAO&lang=en_US

    Latest version of the MUVPN software and a manual tweak for non-admin users.

    All working now.

    Kind Regards,
    Chris Snape

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @ChrisSnape I'm glad to hear it's all working now.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.