Jump to content


Photo

SAML Questions

SAML WAF

  • Please log in to reply
3 replies to this topic

#1 Rusty Ross

Rusty Ross
  • Members
  • 5 posts

Posted 04 January 2016 - 09:35 PM

I am testing SAML on a Barracuda WAF right now and have a couple questions (and expect I will have a couple more!):

 

(1) Surprised I don't see identities in any logs on the Barracuda. Am I missing something? I would have expected to see which SAML user accessed a page, since that SAML user had to authenticate with the IDP in order to view it. Conversely, if an authenticated SAML user is not allowed to view a page and gets denied access, I am surprised I don't see that user's identity mentioned in the deny log. Again, I feel like I am missing something.

 

(2) I am grappling with how to deal with user groups for authorization to various Services via SAML authentication. For example, if I have:

 

ServiceA

ServiceB

ServiceC

 

 ...and my IDP has the following user/group structure:

 

GroupA

  - User 1

 

GroupB

  - User 1

  - User 2

  - User 3

 

Group C

  - User 1

  - User 3

 

...and I want only members of the groups to be able to access the respective services, I am not sure how to elegantly implement that on the WAF. Even if my IDP can populate an attribute such as, say, "MemberOfGroups", which might look like "MemberOfGroups = GroupB, GroupC" for User 3, since I can't seem to implement Access Rules on the WAF with wildcards, I am not sure how to implement this at all...

 

Can anyone provide guidance on this?

 

Thanks!

 

 

 



#2 Neeraj

Neeraj
  • Product Managers
  • 72 posts

Posted 05 January 2016 - 07:55 AM

#1. In a SAML set up, the Service Provider (WAF Service in this case) may not always get the User Name and thus it is not captured where-as the session id given to a user is captured for each request.

 

In scenarios where the IdP does return the user name in the SAML assertion WAF can be enhanced to print that attribute in the Access Logs.

 

#2. Assuming that MemberOfgroups attribute is sent by the Identity Provider and it contains the list of groups the user belongs to, this can be configured on WAF as follows:

 

1. Add the Attribute Map for MemberOfGroups to localId and type of the Attribute, example attribute Name will be "MemberOfGroups" local ID as "Groups" type as "string"

 

2. Enable the SAML authentication of the HTTPS service

 

3. Add the Access rule by selecting the HTTPS service, Local ID and value is which are the groups need to be allowed to access the page. (multiple values are specified by separate by space)

 

4. Add the Authorization policy and select the Access rule added in previous step

Refer “Configuring SAML Attributes” and “Configuring Access Rule” sections for more details at:

https://techlib.barr...LAdvancedConfig



#3 Rusty Ross

Rusty Ross
  • Members
  • 5 posts

Posted 06 January 2016 - 10:08 AM

Thank you so much. This all looks promising - I have some clarifying questions.
 
"In scenarios where the IdP does return the user name in the SAML assertion WAF can be enhanced to print that attribute in the Access Logs."
 
Can you elaborate on what exactly I need to do to "enhance the WAF" to print the attribute in the Access Logs?
 
 
Also,
 
"3. Add the Access rule by selecting the HTTPS service, Local ID and value is which are the groups need to be allowed to access the page. (multiple values are specified by separate by space)"
 
This is not yet entirely clear to me either.
 
In ACCESS CONTROL --> AUTHENTICATION POLICIES --> EDIT AUTHENTICATION --> Attributes Configuration,
 
I see the following:

 

https://www.dropbox.com/s/h8odyfw3m72o7su/memberofgroups.png?dl=0

 

Essentially, I see three fields here per attribute:  SAMLNAME, LOCAL_ID, TYPE. It is unclear to me where to specify the string "Groups" as you seem to imply is necessary.

 

Can you help clarify? (I may have 1-2 additional questions on this particular topic, but let me keep it simple and clarify this first.)

 

Much, much, thanks.

 

Rusty



#4 Rusty Ross

Rusty Ross
  • Members
  • 5 posts

Posted 07 January 2016 - 10:25 AM

Just following up, Neeraj, to see if I can get some clarity on my questions above. I am in the midst of a POC eval of this product, and hope to be able to include it in the design of a large production project, but time is of the essence...

 

Best,

Rusty