How to – Configure ZTNA with Clavister NetWall, IdAuth Cloud and OneConnect

Last modified on 18 May, 2026. Revision 9
  • Using IdAuth Cloud Roles in NetWall Group Objects
  • Creating Example Access Policies for Different User Groups
  • Related articles
    • Up to date for
    Clavister cOS Core 15.00.04 or later
    Clavister OneConnect 
    IdAuth Cloud 3.9.0 or later
    Status OK

    This article describes how to configure a Zero Trust Network Access (ZTNA) solution using Clavister NetWall, Clavister IdAuth Cloud and Clavister OneConnect.

    The setup enables secure remote access to internal applications using identity-based authentication and role-based access control. Users authenticate through IdAuth Cloud using OpenID Connect (OIDC), while NetWall enforces access policies based on user roles and group membership.

    This guide also includes optional integration examples using external identity providers such as Microsoft Entra ID, local Active Directory and Google Workspace as user stores for IdAuth Cloud.

    The article covers:

    • Configuring roles and user authentication in IdAuth Cloud
    • Setting up OIDC authentication between IdAuth Cloud and NetWall
    • Configuring the OneConnect server on NetWall
    • Mapping IdAuth Cloud roles to NetWall Group Objects
    • Creating example access policies for different user groups

    The example scenarios in this article demonstrate how different user groups can be restricted to only the applications they are authorized to access, following Zero Trust and least-privilege principles.


    Prerequisites

    Before starting, ensure you have:

    • A configured and licensed:
      • Clavister NetWall running cOS Core 15.00.04 or later
      • Clavister IdAuth Cloud
    • Public DNS name for the OneConnect server
    • Valid HTTPS certificate
    • OneConnect client installed

    Useful related articles:

    Configuring Roles and User Authentication in IdAuth Cloud

    This section describes how to configure user authentication and role management in Clavister IdAuth Cloud. Roles are used to control which resources users are allowed to access after authenticating through OneConnect and NetWall.

    IdAuth Cloud can use its internal user database or integrate with external identity providers such as Microsoft Entra ID, local Active Directory or Google Workspace. Regardless of the selected user store, the recommended approach is to assign users to groups in the identity provider and map those groups to roles in IdAuth Cloud.

    Create Roles in IdAuth Cloud

    Roles are used to represent access levels or departments and will later be mapped to Group Objects in NetWall.

    Example roles:

    • Sales
    • Support
    • IT-Admins

    To create roles:

    • Log in to the IdAuth Cloud management portal on Clavister Cloud Services
    • Navigate to User Management.
    • Create the required roles for your environment.
    • Assign users or synchronized groups from Entra ID, local Active Directory or Google Workspace to the appropriate roles.

    The example configuration in this article uses the following roles:

    RolePurpose
    SalesAccess to internal CRM systems
    SupportAccess to internal support systems

    For additional information about role-based access control in IdAuth Cloud, see:

    Optional: Using an external User Store

    Microsoft Entra ID, Active Directory or Google Workspace can be integrated with IdAuth Cloud to provide centralized authentication, MFA and group synchronization:

    These roles will later be mapped to Group Objects in NetWall to enforce application-specific access policies.

    Setting up OIDC Authentication Between IdAuth Cloud and NetWall

    This section describes how to configure OpenID Connect (OIDC) authentication between Clavister IdAuth Cloud and Clavister NetWall. The OIDC configuration allows NetWall to authenticate OneConnect users through IdAuth Cloud and retrieve user role information used for access control policies.

    Create a new OIDC Relaying Party of the type Clavister NetWall in Clavister IdAuth Cloud, also use this information to create an OIDC Provider in Clavister NetWall, this will be used in the OneConnect server configuration.

    For detailed information on how to setup, see How to - Authenticate users in NetWall using Clavister IdAuth Cloud.

    Configuring the OneConnect server on NetWall

    This section describes how to configure the OneConnect server on Clavister NetWall for Zero Trust Network Access (ZTNA) deployments using IdAuth Cloud and OIDC authentication.

    The OneConnect server is responsible for:

    • Accepting remote client connections
    • Redirecting authentication requests to IdAuth Cloud
    • Establishing secure VPN tunnels
    • Enforcing user-based access policies

    Prerequisites

    Before configuring the OneConnect server, ensure the following requirements are completed:

    • OIDC authentication is configured between IdAuth Cloud and NetWall
    • Public DNS name exists for the VPN service
    • A trusted HTTPS certificate is installed on NetWall

    First configure the OneConnect Server according to How do i set up a OneConnect VPN tunnel in cOS core KB article, and select the previous created OIDC Provider as authentication source.

    Optional: Restrict Access to the OneConnect Server

    It’s possible to limit which users can connect to the OneConnect server by assigning a specific group to the OneConnect server, for example the role “VPN_Users”.

    Using IdAuth Cloud Roles in NetWall Group Objects

    This section describes how to map roles received from Clavister IdAuth Cloud to Group Objects in Clavister NetWall. These Group Objects are later used in authentication-aware security policies to control access to internal applications and resources.

    When a user authenticates through OneConnect using OIDC, IdAuth Cloud includes the user’s role membership in the OIDC token. NetWall reads the configured group claim and dynamically assigns the user to matching Group Objects.

    This enables role-based access control (RBAC) using identity information instead of traditional network-based access control.

    The role mapping process works as follows:

    1. User authenticates through IdAuth Cloud
    2. IdAuth Cloud returns an OIDC token
    3. The token contains role information
    4. NetWall reads the configured group claim
    5. Matching Group Objects are assigned to the authenticated user
    6. IP policies use the Group Objects to allow or deny access

    Understanding Group Objects in cOS Core

    cOS Core uses Group Objects as logical identity containers for authenticated users.

    Authentication groups are referenced in:

    • IP Policies
    • OneConnect access policies
    • Application access policies

    The cOS Core Administration Guide describes user group handling and authentication group membership as part of the authentication framework.  

    Group names are case-sensitive and must match the values received from the external authentication source.  

    Create Group Objects in NetWall

    Navigate to:

    Objects → User Authentication → Groups

    Create a Group Object for each role received from IdAuth Cloud.

    Using Group Objects in Security Policies

    After the Group Objects are created, they can be referenced in IP policies and authentication-aware policies.

    Verify Group Membership on NetWall

    Connect using the OneConnect client and authenticate through IdAuth Cloud, after successful connection.

    Navigate to:

    Status → User Authentication

    Verify:

    • Username
    • Assigned groups
    • Active sessions

    The assigned Group Objects should appear in the authenticated user information.

    Creating Example Access Policies for Different User Groups

    This section describes how to use Group Objects from IdAuth Cloud in IP Policies to restrict access to internal resources.

    Example Scenario

    The following example uses two user roles:

    RoleAccess
    SalesInternal CRM
    SupportInternal Support System


    Example Objects

    Example host objects:

    Address ObjectIP Address
    CRM_Server10.10.10.50
    Support_Server
    10.10.20.50

    Example Group Objects:

    Group ObjectRole
    grp_salesSales
    grp_supportSupport


    Create IP Policies for Sales Users

    Navigate to:

    Policies → IP Rules

    Create a policy allowing Sales users access to the CRM system.

    Example configuration:

    Create IP Policies for Support Users

    Create another policy allowing Support users access to the support system.

    Example configuration:

    To enforce Zero Trust principles, only explicitly allowed access should be permitted.

    Example deny policy:

    This ensures users can only access authorized applications.

    Related articles

    How to - Authenticate users in Nextcloud using Clavister IdAuth Cloud
    26 Jan, 2026 sase cloud oidc
    How to - Authenticate users in NetWall using Clavister IdAuth Cloud
    6 Dec, 2025 sase cloud oidc oneconnect core
    How to - Authenticate users in Portainer BE using Clavister IdAuth Cloud
    6 Dec, 2025 sase cloud oidc
    How to - Configure OIDC with Entra ID and NetWall
    4 Jul, 2025 core oneconnect oidc
    Requirements for JWT Token with OIDC Authentication in Clavister
    4 Nov, 2024 oidc core authentication
    How to - Use Roles in IdAuth Cloud to limit user access to OneConnect
    8 Feb, 2026 sase oneconnect core userauth oidc



    Tagsoneconnectcoresase