cancel
Showing results for 
Search instead for 
Did you mean: 

SSO, MFA, and Conditional Access to WarpSpeed WireGuard VPN

JCDavid
Rising Star II
Rising Star II

It was a productive day. My primary focus was setting up a SAML/SSO integration with WarpSpeed WireGuard VPN. WireGuard is a modern alternative to IPsec VPNs, simpler, faster, and very affordable for SMEs that need strong perimeter security. Let's face it, firewalls that have high throughput for VPN concentrators can be very expensive, and IPSec is confusing to the uninitiated. 

A cloud directory such as JumpCloud can layer on zero trust IAM and a great user experience. My blog post is in the editing queue, but here's a sneak peak at the tutorial.

Create a SAML Connector

Click the SSO button in the left frame of the administrative console and hit the “plus” sign to start a new SSO connection. Select “Customer SAML App” and begin by filling in the requisite information to label your connector and choose a color scheme and logo. More context is available in JumpCloud’s SAML how-to article should you have any additional requirements.

JCDavid_0-1652993979479.png

Exchange MetaData

WarpSpeed only requires the IPD (Identity Provider) metadata to enable its SAML 2.0 integration. JumpCloud is the IDP in this scenario. Begin your setup by navigating to the SSO tab and enter an Entity ID that’s unique to your organization’s environment. Here’s an example:

JCDavid_1-1652993979483.png

 

JCDavid_2-1652993979621.png

Your FQDN will be different from the one displayed above. The settings on this screen are case-sensitive on both systems; any typo will result in errors and the integration will fail. The best method is to export your IDP settings from JumpCloud.

JCDavid_3-1652993979455.png

This is the view from JumpCloud

JCDavid_4-1652993979456.png

This is the view from WarpSpeed

Your next step is to assign a group to the WarpSpeed SSO connector. 

Setup Groups and Permissions

Click on the User Groups tab and add the group(s) that should have access to the WarpSpeed VPN applet. The link below is a detailed guide for admins who are unfamiliar with using JumpCloud. Note: MFA is configured on a per-user basis, unless Conditional Access is used.

Getting Started: User Groups

 

JCDavid_5-1652993979500.png

Group membership grants access rights to the VPN

 

JCDavid_6-1652993979474.png

WarpSpeed VPN will be available from within the JumpCloud User Console

WarpSpeed then invites the user to register a device. SSO users won’t be admins by default.

JCDavid_7-1652993979497.png

The active user will be visible from within the WarpSpeed admin console.

JCDavid_8-1652993979517.png

Add Zero Trust Security from JumpCloud

Additional Zero Trust security controls are available through JumpCloud’s Conditional Access Policies. These policies extend security beyond strong passwords and MFA alone.

Policies are assigned to existing groups or you may create dedicated groups for different sets of users. Different groups may have different policies (or no policies). Policies include:

  • Geofencing: JumpCloud permits you to whitelist selected countries to access WarpSpeed. Any device that attempts to log in from locations that aren’t specified won’t be allowed. For instance, an employee who’s attempting to access internal resources from unsecured hotel Wi-Fi in a different country won’t be allowed into the VPN.
  • Managed devices: This policy restricts access to JumpCloud managed devices, ensuring that rogue devices won’t be logging into your network.
  • Mandatory MFA: Users must prove who they say they are prior to accessing the VPN by entering a TOTP code or Push MFA through the JumpCloud Protect™ application. This rule ensures that MFA will always be present when users login.

Tip: Retest your connectivity prior to making changes that could adversely affect user access.

 

0 REPLIES 0