Entra SAML and Security Group Information
I am trying to configure the Mobile VPN with SSL to restrict network access by group membership. Specifically, users in SG_Contractors should have limited access while SG_Internal should have full access to network resources. This was possible and was configured with AD authentication and is documented in this video.
I don't know what I'm missing, but I can't get it to work when I move to Entra ID SAML Auth.
I've followed the official procedure here and can successfully authenticate with a user in either security group (these are hybrid security groups, if that matters). However, firewall policies based on group membership aren't taking effect and even with Authentication and SSLVPN logging at the Debug level, I can't verify that group information is being passed to the firebox.
Is there any special configuration needed on the Entra side to implement this?
Comments
Hi @armoli
The firebox logs each group it matches to something configured on the firebox in the Firebox's support file under:
support.tgz\support.tar\Fireware_XTM_Support.tgz\Fireware_XTM_Support.tar\support\system\auth_session_list.txt
(The name support.tgz and Fireware_XTM will likely be replaced with the name of your firewall.)
(Download Diagnostic Snapshot File - WatchGuard Cloud)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/monitor_diagnostics.html#Snapshot
(Download a Diagnostic Log Message File - Fireware Web UI)
https://www.watchguard.com/help/docs/help-center/en-US/content/en-us/Fireware/system_status/support_diagnostics-file_web.html
(Download a Diagnostic Log Message File - WSM/Firebox System Manager)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/downoad_support_file.html
If you're not seeing your group in those files, I'd suggest opening a support case via the support center link at the top right of this page.
-James Carson
WatchGuard Customer Support
Thanks, I was able to identify and correct the issue by inspecting that file in the Diagnostic Logs!