Configuring SAML SSO for ManageEngine Firewall Analyzer
These steps will guide you through setting up the single sign-on (SSO) functionality between ADSelfService Plus and Firewall Analyzer.
Prerequisite
- Ensure that the ADSelfService Plus server can be accessed through HTTPS Connection (Access URL must be configured as HTTPS).
- Log in to ADSelfService Plus as an administrator.
- Navigate to Configuration → Self-Service → Password Sync/Single Sign On → Add Application, then select Firewall Analyzer from the applications displayed.
Note: You can also find the Firewall Analyzer application from the search bar located in the left pane or the alphabet wise navigation option in the right pane.
- On the Firewall Analyzer page, click IdP details in the top-right corner of the screen.
- You can configure the identity provider(IDP) details by either uploading the metadata file or entering the details manually.
- Uploading metadata file: Click the Download IdP Metadata link to download the metadata file to be uploaded during the configuration of Firewall Analyzer.
- For manual configuration: In the pop-up that appears, copy the Login URL and Logout URL, then download the SSO certificate by clicking Download X.509 Certificate.
Firewall Analyzer (Service Provider) configuration steps
- Log in to Firewall Analyzer with an administrator's credentials.
- In the Firewall Analyzer portal,go to Settings > General Settings > Authentication.
- Select the SAML tab under Authentication.
- Navigate to the Service Provider Details section and copy the Entity ID and Assertion Consumer URL. These will be used in a later step.
- The IdP details can be entered in two ways:
A. Using the Metadata file
- Navigate to the Identity Provider Details section, then choose the Upload IdP metadata file radio button.
- Enter "ADSelfService Plus" as the IdP Name, then select Email ID from the Name ID Format drop-down.
- Upload the metadata file downloaded in step 5a of Prerequisite.
- Click Save.
- Click Test connection to test the connection.
- Click Enable SAML SSO.
B. Manually entering the IdP details
- Navigate to the Identity Provider Details section, then choose the Configure IDP information manually radio button.
- Next, enter "ADSelfService Plus" as the application name
- Enter "ADSelfService Plus" as the Name, then select Email ID from the Name ID Format drop-down.
- Paste the Login URL and Logout URL values copied in step 5b of Prerequisite in the IdP Login URL and IdP Logout URL fields, respectively.
Note: The Logout URL is optional and can be skipped if single logout (automatically log out from ADSelfService Plus when logging out from Firewall Analyzer) is not required.
- Upload the X.509 certificate file downloaded in step 5b of Prerequisite in the IDP's Certificate field.
- Click Save.
- Click Test connection to test the connection.
- Click Enable SAML SSO.
ADSelfService Plus (Identity Provider) configuration steps
- Now, switch to the ADSelfService Plus Firewall Analyzer configuration page.
- Enter the Application Name and Description.
- Enter the Domain name of your Firewall Analyzer account. For example, if you use johndoe@thinktodaytech.com to log in to Firewall Analyzer, then thinktodaytech.com is the domain name.
- In the Assign Policies field, select the policies for which SSO needs to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
- Select the SAML tab and check Enable Single Sign-On.
- Paste the Assertion Consumer URL copied in step 4 of Firewall Analyzer configuration steps in the Assertion Consumer URL field.
- Paste the EntityID copied in step 4 of Firewall Analyzer configuration steps in the Entity ID field.
- In the Name ID Format field, choose the format for the user login attribute value specific to the application.
Note: Use Unspecified as the default option if you are unsure about the format of the login attribute value used by the application.
- Click Add Application.
Your users should now be able to sign into Firewall Analyzer through the ADSelfService Plus portal.
Note: For Firewall Analyzer, both SP-initiated and IdP-initiated flows are supported.
Don't see what you're looking for?
-
Visit our community
Post your questions in the forum.
-
Request additional resources
Send us your requirements.
-
Need implementation assistance?
Try onboarding