How to Create a SAML Endpoint in Microsoft Azure and Client-to-Site SAML Configuration

Follow the guide below to create a SAML endpoint in Microsoft Azure and to configure a Barracuda CloudGen Firewall to use SAML authentication for the client-to-site VPN service.

Also, if you want to use FIDO2 and Windows Hello, consider to use the article from Microsoft: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2#enable-passkey-fido2-authentication-method. Note that FIDO2 and Windows Hello support a login by using face recognition, fingerprints, Yubikeys and other keys.

• Create and configure a VPN service. For more information, see VPN.

• You must have an existing user group in your Microsoft Entra ID. For more information, see https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups.

• An Advanced Remote Access subscription is required. For more information on subscriptions, see Base Licensing and Subscriptions.

1. Log into the Azure portal: https://portal.azure.com

2. In the left menu, click All services and search for Microsoft Entra ID.

3. Click Microsoft Entra ID.

4. In the left menu of the Microsoft Entra ID blade, click Enterprise applications.
   
   

   Open

   

   
   
   

5. The Enterprise applications blade opens. Click Overview.

6. In the Overview blade, click New application.
   
   

   Open

   

7. The Browse Microsoft Entra Gallery blade opens. Click Create your own application.
   
   

   Open

   

8. Enter the name of your application, and select Integrate any other application you don't find in the gallery (Non-gallery). 
   
   

   Open

   

9. Click Create. 
   After the application is successfully deployed, it automatically opens the Overview blade of the created application.

10. In the left menu, select Properties.
    
    

    Open

    

11. In the Properties blade, disable Assignment required and click Save.
    
    

    Open

    

12. In the left menu, click Single sign-on.

13. The Single sign-on blade opens. Select SAML.
    
    

    Open

    

14. The SAML-based Sign-on blade opens. Copy the Login URL.
    
    

    Open

    

15. Click Edit next to Basic SAML Configuration.
    
    

    Open

    

16. Click Add reply URL and paste the copied URL.

17. Open the SAML configuration on your Barracuda CloudGen Firewall, and copy the Service Provider Entity ID.

18. In the Basic SAML Configuration blade, click Add identifier and paste the copied login URL.
    
    

    Open

    

19. Click Save.

20. Click X to close the Basic SAML Configuration blade.

21. In the User Attribute & Claims section, click Edit.

    Open

    

22. The User Attributes & Claims blade opens. Click Add a group claim.
    
    

    Open

    

23. The Group Claims blade opens. Select Security groups and click Save.
    
    

    Open

    

24. Click X to close the User Attributes & Claims blade.
    

    If the number of groups a user is in exceeds a certain limit (150 for SAML, 200 for JWT) then an overage claim will be added, the claim sources pointing at the graph endpoint containing the list of groups for the user. (For detailed information, see Claims in SAML tokens in the Microsoft documentation.) The firewall does not use this link to extract user groups and therefore generates a "DENY: Group did not match" security entry in the VPN logs in this case, as no group policy containing a group filter will match. This can be avoided by creating a group filter, preventing Microsoft from sending a link pointing to the groups. For more information, see Configure group claims for applications by using Microsoft Entra ID.

25. In the SAML-based Sign-on blade, click Download to download the Federation Metadata XML.
    
    

    Open

    

    
    Note that some browsers might block the *.xml file.

26. Save the file to your local machine.

1. Connect to your Barracuda CloudGen Firewall and log in.

2. Go to CONFIGURATION > Configuration Tree > Infrastructure Services > Authentication Service.

3. In the left menu, click SAML/ADFS Authentication.

4. Click Lock.

5. In the SAML General Information section, set Activate Scheme to yes.

6. In the Identity Provider section, click Ex/Import. Then, click Import from File... and select the file retrieved in Step 1. 
   
   

   Open

   

7. Click Send Changes. 

8. In the Attributes section, specify the Assertion Name ID and select um:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from the drop-down menu.

9. Click Send Changes. 

10. Specify values for the following:

    • User Attribute – Select Name ID (um:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) from the drop-down menu.

    • Group Attribute – Select Attribute(Groups) from the drop-down menu.

11. In the Certificates section, specify values for the following:

    • Enable Assertion Encryption – Clear the check box.

    • Enable Assertion Signing – Clear the check box.
      
      

      Open

      

12. In the left menu of the SAML/ADFS Authentication window, click Configuration Mode and select Switch to Advanced.

13. In the Endpoints section, specify values for the following if SAML/ADFS is not used for Firewall Authentication. Otherwise, you can skip this step.
    
    

    • Use Hostname from – Select Explicit-Hostname from the drop-down menu.

    • Explicit Hostname – Enter localhost. 
      
      

      Open

      

14. Click Send Changes and Activate.

15. On the firewall, go to CONTROL > Services > Box Services.

16. Restart the authentication daemon (phibs).

17. Go back to CONFIGURATION > Configuration Tree > Infrastructure Services > Authentication Service.

18. In the left menu, click SAML/ADFS Authentication.

19. Click Lock.

20. In the Service Provider Metadata section, export the metadata by clicking Generate Data.
    

21. Copy the information and save it to your local machine in an .xml file. This file has to be updloaded in Azure at a later stage.

22. Click Send Changes and Activate.