How to Set Up Hailbytes VPN Authentication
Introduction
Now that you have HailBytes VPN setup and configured, you can begin exploring some of the security features HailBytes has to offer. You can check our blog for setup instructions and features for the VPN. In this article, we will cover the authentication methods supported by HailBytes VPN and how to add an authentication method.
Overview
HailBytes VPN offers several authentication methods besides traditional local authentication. To reduce security risks, we recommend disabling local authentications. Instead, we recommend multi-factor authentication (MFA), OpenID Connect, or SAML 2.0.
- MFA adds an additional layer of security on top of local authentication. HailBytes VPN includes a local built-in versions and support for external MFA for many popular identity providers like Okta, Azure AD, and Onelogin.
- OpenID Connect is an identity layer built on OAuth 2.0 protocol. It provides a secure and standardized way to authenticate and obtain user information from an identity provider without having to login multiple times.
- SAML 2.0 is an XML-based open standard for exchanging authentication and authorization information between parties. It allows users to authenticate once with an identity provider without having to re-authenticate to access different applications.
OpenID Connect with Azure Set up
In this section, we will briefly go over how to integrate your identity provider using OIDC Multi-Factor Authentication. This guide is geared towards using Azure Active Directory. Different identity providers may have uncommon configurations and other issues.
- We recommend you use one of the providers that has been fully supported and tested: Azure Active Directory, Okta, Onelogin, Keycloak, Auth0, and Google Workspace.
- If you are not using a recommended OIDC provider, the following configurations are required.
a) discovery_document_uri: The OpenID Connect provider configuration URI which returns a JSON document used to construct subsequent requests to this OIDC provider. Some providers refer to this as the “well-known URL”.
b) client_id: The client ID of the application.
c) client_secret: The client secret of the application.
d) redirect_uri: Instructs OIDC provider where to redirect after authentication. This should be your Firezone EXTERNAL_URL + /auth/oidc/<provider_key>/callback/, e.g. https://firezone.example.com/auth/oidc/google/callback/.
e) response_type: Set to code.
f) scope: OIDC scopes to obtain from your OIDC provider. At a minimum, Firezone requires the openid and email scopes.
g) label: The button label text displayed on the Firezone portal login page.
- Navigate to the Azure Active Directory page on the Azure portal. Select the App registrations link under the Manage menu, click New Registration, and register after entering the following:
a) Name: Firezone
b) Supported account types: (Default Directory only – Single tenant)
c) Redirect URI: This should be your Firezone EXTERNAL_URL + /auth/oidc/<Config ID>/callback/, e.g. https://firezone.example.com/auth/oidc/azure/callback/.
- After registering, open the details view of the application and copy the Application (client) ID. This will be the client_id value.
- Open the endpoints menu to retrieve the OpenID Connect metadata document. This will be the discovery_document_uri value.
- Select the Certificates & secrets link under the Manage menu and create a new client secret. Copy the client secret. This will be the client_secret value.
- Select the API permissions link under the Manage menu, click Add a permission, and select Microsoft Graph. Add email, openid, offline_access and profile to the required permissions.
- Navigate to the /settings/security page in the admin portal, click “Add OpenID Connect Provider” and enter the details you obtained in the steps above.
- Enable or disable the Auto create users option to automatically create an unprivileged user when signing in via this authentication mechanism.
Congratulations! You should see A Sign In with Azure button on your sign in page.
Conclusion
HailBytes VPN offers a variety of authentication methods, including multi-factor authentication, OpenID Connect, and SAML 2.0. By integrating OpenID Connect with Azure Active Directory as demonstrated in the article, your workforce can conveniently and securely access your resources on the Cloud or AWS.
